When Is an Attack not an Attack? The Story of Red Team Versus Blue Team

I published an article on the IBM Security Intelligence blog : When Is an Attack not an Attack? The Story of Red Team Versus Blue Team. This article is a high level overview of a red team vs blue team engagement. It starts with the reconnaissance of the victim, the red team scenario building, attack delivery and also how the blue team can discover the activities from the read team.

Read more at https://securityintelligence.com/articles/red-team-versus-blue-team-attack/.

Use Mobile Verification Tool to check if your iPhone is affected by Pegasus spyware

The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.

Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.

Setup a Python virtual environmentRead more.

Identify malicious servers / Cobalt Strike servers with JARM

For a new assignment I wanted to use JARM to group servers with a similar configuration. Why JARM? Because it’s an easy way to quickly identify and group servers based on their configuration.

JARM is an active fingerprinting of TLS servers made available by Salesforce Engineering. It sends 10 TLS Client Hello packets to a server and captures specific attributes of the responses. These responses are then aggregated and hashed. A JARM fingerprint consists ofRead more.

Cobalt Strike Hunting – Key items to look for

Cobalt Strike (S0154) is a commercial penetration testing platform which is used by many red teams and, unfortunately, also by many criminal threat actors. In this post I summarise the findings from a SANS Digital Forensics and Incident Response keynote by Chad Tilbury : Cobalt Strike Threat Hunting. The YouTube video provides much more details but below you can find those findings that were relevant for me during an IR case.

This post includes referencesRead more.

Legal and cooperation frameworks between CSIRTs and law enforcement agencies

For a recent assignment, I had to summarise some of the legislation and cooperation frameworks that exist between CSIRTs and law enforcement agencies. This list is certainly not complete but already gives you an overview of what’s available. I first list the frameworks and then provide an overview of some of the existing cooperation mechanisms.

2001 – International

This convention, also known as the Budapest Convention is the first international treaty to addressRead more.

Health Care Ransomware Strains Have Hospitals in the Crosshairs

I published an article on the IBM Security Intelligence blog : Health Care Ransomware Strains Have Hospitals in the Crosshairs. This article covers ways on how hospitals and other facilities can against health care ransomware attacks. Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements.

Read more Health Care Ransomware Strains Have Hospitals in the Crosshairs

Combating Sleeper Threats With MTTD

I published an article on the IBM Security Intelligence blog : Combating Sleeper Threats With MTTD. The article covers mean time to detect (MTTD) and mean time to response (MTTR).

I cover some of the options available to reduce the MTTD, what elements can be used to define baselines and how to improve security monitoring and maturity by improving the MTTD.

Staying in control of MISP correlations

MISP correlations are a way to find relationships between attributes and indicators from malware or attacks campaigns. Correlation support analysts in detecting clusters of similar activities and pivot from one event to another.

When the volume of data in your MISP instance grows, the number of correlations can however explode and make your system less responsive. I cover some approaches that you can use to stay in control.

Correlation basically is a way forRead more.

Use Elastic to represent MISP threat data

In this post I go through the process of representing threat data from MISP in Elastic. The goal is to push attributes from MISP to Elastic and have a representation with a couple of pretty graphs. This is an alternative approach to using the MISP dashboard (and MISP-Dashboard, real-time visualization of MISP events).

The Filebeat component of Elastic contains a MISP module. This module queries the MISP REST API for recently published event and attributeRead more.

Cybersecurity Ethics: Establishing a Code for Your SOC

I published an article on the IBM Security Intelligence blog : Cybersecurity Ethics: Establishing a Code for Your SOC. The article describes the dilemmas you can face when working in a SOC or doing incident response work.

The articles describes Cybersecurity Ethics Guidance Frameworks, Best Practices and a Practical Approach for Cybersecurity Ethics, including a set of commandments to adhere. For example

Do not use a computer to harm other people. Protect society andRead more.