How to Defend With the Courses of Action Matrix and Indicator Lifecycle Management

I published an article on How to Defend With the Courses of Action Matrix and Indicator Lifecycle Management on the Security Intelligence blog.

This article describes the courses of action matrix to help you understand how to verify and validate indicators. The CoA matrix assists you in choosing the most useful action (“response”) to take with a an indicator.

How Pivoting Can Help Your Incident Response Process

I published an article on How Pivoting Can Help Your Incident Response Process on the Security Intelligence blog.

This article describes what pivoting is about (mostly from a point of view of a defender, or during incident response), how to evaluate and track the links that you found, what domains are most useful to use for pivoting and what data points you can use for pivoting.

BloodHound Active Directory queries for Defenders

Getting Active Directory security right can be a challenging task. Individual groups of computers or user privileges will most likely be properly configured but there are always some trade-offs that have to be made. Attackers will try to find an attack path by abusing the weaknesses that are caused by these trade-offs. Jumping from one host to another, compromising user accounts and abusing active sessions might get them to their final objectives. Whether this isRead more.

Security and MQTT

I recently had to explore MQTT. I had never heard of this protocol before. However some helpful resources provide a clear explanation what MQTT is about.

MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol that uses a lightweight publish/subscribe messaging transport. MQTT works on top of TCP/IP and by default uses port tcp/1883.

A quick search on Shodan reveals that there are a lot of devices publicly available, primarily in the US and Asia.Read more.

How Can an ISAC Improve Cybersecurity and Resilience?

I published an article on IBM Security Intelligence on How Can an ISAC Improve Cybersecurity and Resilience?.

The article covers analysing the three common types of ISACs (information sharing and analysis centers), who creates ISACs, reasons for joining an ISAC and what drives ISACs.

RDP logs and incident response

Remote desktop protocol (RDP) is designed by Microsoft for remote management of Windows-based virtual desktops. It provides users a graphical interface to connect over the network to a remote computer. Having a remote access feature leaves the door open for attackers.

I’ll use this post to summarise some of the information and commands that I use when investigating an RDP incident.

Note that RDP connections are usually done via tcp/3389.

Investigating RDP goes best inRead more.

What Are the Different Types of Cyberthreat Intelligence?

I published an article on IBM Security Intelligence on What Are the Different Types of Cyberthreat Intelligence?.

The article covers analysing the The Different Types of Threat Intelligence and the prerequisites to Start With a Cyberthreat Intelligence Program.

Diving into the VPNFilter C2 via EXIF

Cisco Talos published an analysis on the new VPNFilter malware that targets at least 500K networking devices worldwide. The post describes how the stage 1 of the malware extracts IP coordinates from the GPS latitude and longitude fields in the EXIF information of images.

A post by Kaspersky further analysed the VPNFilter EXIF to C2 mechanism. Unfortunately all the photobucket.com galleries that were used by the malware as storage for the images have been deleted.Read more.

Analyzing PDF and Office Documents Delivered Via Malspam

I published an article on IBM Security Intelligence on Analyzing PDF and Office Documents Delivered Via Malspam .

The article covers analysing the static properties of malspam and further in depth analysis of malspam via for example the tools from Didier Stevens.

How to Choose the Right Malware Classification Scheme to Improve Incident Response

I published an article on IBM Security Intelligence on How to Choose the Right Malware Classification Scheme to Improve Incident Response.

The article covers malware classification in an ideal world, some of the existing classification schemes and how machine-parsable malware classification can help make incident response processes more fluent.