Use Certificate Transparency for OSINT and passive reconnaissance

SANS ISC recently posted an article on The Dark Side of Certificate Transparency.

Certificate transparency means that participating certificate authorities will publish all certificates that they issue in a log. This information is public, meaning that you can search it at will.

The article already touches one of the side effects of having this information publicly available. By publishing the information organizations can disclose hostnames they’d rather not be known on the internet.

There areRead more.

Using the Digital First Aid Kit for Incident Response

Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing

But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know thatRead more.

Doing open source intelligence with SpiderFoot (part 2)

I did an earlier post on gathering open source intelligence with SpiderFoot. This post is a small update to incorporate the new version of Spiderfoot that was released recently.

A new version of Spiderfoot was recently released, including some extra modules. In my earlier post I described how I adjusted and added some modules. The new release of Spiderfoot contains part of my changes to the XForce module.

My initial change to Spiderfoot included aRead more.

Stay Up-to-Date on Security News with OPML feeds

In 2015 I did a posting on the Security Intelligence blog on How to Stay Up-to-Date on Security Trends. The post describes how you can streamline the process of following different news and threat information channels, classify them and bring them to good use.

One of the tools that you can use is RSS feeds. I personally use a setup of fever to grab different RSS feeds and then have them delivered in one centralRead more.

Using open source intelligence feeds, OSINT, with MISP

I love MISP, Malware Information Sharing Platform & Threat Sharing. I did three earlier posts on how to use and setup MISP. part 1, part 2 and part 3.

One of the nice new features by MISP is including feeds from different open source intelligence feed providers.

How does it work? Basically the feeds are provided as a JSON feed, you can browse them within MISP, import them individually or subscribe to the feed toRead more.

Doing open source intelligence with SpiderFoot

Open source intelligence is collecting information from publicly available resources. If you are doing incident handling it’s one of the things that will use up a lot of your time. And it can quickly become very tedious. Imagine a list of IPs that you found hosts on your network connecting to. Query different public available resources (VirusTotal, Shodan, SANS, Cymon, XForce Exchange, …) for each and every IP and then converting that data into oneRead more.

Doing open source intel with recon-ng – part 2

This is the second part of a post on doing open source intel with recon-ng. The first part focused on gathering open source information for user accounts. This second part focuses on gathering domain and host information.

I started with one single domain. I’m interested in what other hosts related to this domain can be found. To do this I use the search command SEARCH domains-hosts.

The list shows modules that use for example Baidu,Read more.

Doing open source intel with recon-ng – part 1

recon-ng is a tool for open source reconnaissance. Reconnaissance is the first phase in a penetration test and it is the act of gathering preliminary data or intelligence on your target.

Recon-ng has a look and feel similar to the Metasploit Framework and provides an easy to use interface to gather open source intelligence.

This is a post on doing open source intel with recon-ng. The post is split in two parts :

theRead more.

Comparing Different Tools for Threat Sharing

I had a guest-posting published at IBM Security Intelligence : Comparing Different Tools for Threat Sharing.

How to use the traffic light protocol – TLP

The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community.

The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align).

TheRead more.