Visualising MISP galaxies and clusters

The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster.

Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK)Read more.

Creating a MISP Object, 101

I published an article on the blog of the MISP project on how to create your own custom object: Creating a MISP Object, 101. This is a follow-up to a previous post on how to create your own MISP galaxy or MISP cluster (Creating a MISP Galaxy, 101).

Difference between MISP REST API search for events and attributes

MISP includes a powerful REST API that allows you to automate the dissemination of threat intelligence and threat data. If you aren’t familiar with the API you can explore its features (and the inline documentation) via Event Actions, REST client. In the latest versions of MISP the REST API client supports autocompletion, which is useful if you want to search for events or attributes with specific tags. And these tags are the vocabularies that weRead more.

Incident Response: 5 Steps to Prevent False Positives

I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes.

I propose 5 steps to prevent false positives, including

Prevent false positives from being added to threat intel report Notify analysts on likelihood of false positives in threat intel reports Report sightings, observables and falseRead more.

BelgoMISP Meeting 0x01 : Belgian MISP User Group Meeting

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?

There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.

Phishing website – beobank

Another day, another phishing website. This time again a phishing site with directory listing enabled. This phishing websites targets customers of the Belgian bank Beobank. The link to the site gets delivered via e-mail, claiming to come from the webmaster with an important security message.

This is how the phishing website looks like:

Moving up a few directories allows us to download the ZIP file containing the phishing code.

There areRead more.

Diving into the VPNFilter C2 via EXIF

Cisco Talos published an analysis on the new VPNFilter malware that targets at least 500K networking devices worldwide. The post describes how the stage 1 of the malware extracts IP coordinates from the GPS latitude and longitude fields in the EXIF information of images.

A post by Kaspersky further analysed the VPNFilter EXIF to C2 mechanism. Unfortunately all the photobucket.com galleries that were used by the malware as storage for the images have been deleted.Read more.

Doing OSINT and Twitter Analytics with Tinfoleak

Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch.

Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output.

I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) forRead more.