I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes.
I propose 5 steps to prevent false positives, including
Prevent false positives from being added to threat intel report Notify analysts on likelihood of false positives in threat intel reports Report sightings, observables and false … Read more.
Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?
There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.
I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.
The core … Read more.
MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).
There is not immediately an option within MISP to sync sightings between instances.You can sync … Read more.
Another day, another phishing website. This time again a phishing site with directory listing enabled. This phishing websites targets customers of the Belgian bank Beobank. The link to the site gets delivered via e-mail, claiming to come from the webmaster with an important security message.
This is how the phishing website looks like:
Moving up a few directories allows us to download the ZIP file containing the phishing code.
There are … Read more.
Cisco Talos published an analysis on the new VPNFilter malware that targets at least 500K networking devices worldwide. The post describes how the stage 1 of the malware extracts IP coordinates from the GPS latitude and longitude fields in the EXIF information of images.
A post by Kaspersky further analysed the VPNFilter EXIF to C2 mechanism. Unfortunately all the photobucket.com galleries that were used by the malware as storage for the images have been deleted. … Read more.
Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch.
Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output.
I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) for … Read more.
Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this The link is only viewable if you enable HTML content in the e-mail client.
The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service).
bitly.com, via HTTPS, received 301 Moved Permanently; go2l.ink, via HTTP, received 302 FOUND; A PHP page … Read more.
You are running a MISP instance and you want to visualize the MISP events in real-time?
MISP-Dashboard can do that! An example :
Vimeo video :
In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.
MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.
The MISP ZeroMQ plugin … Read more.
I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through
Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.
Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incident … Read more.