Which Incident Response Investments Are You Prioritizing in 2020?

I published an article on the IBM SecurityIntelligence blog on to Which Incident Response Investments Are You Prioritizing in 2020?

The post describes that improving incident response plans should be the number one priority for future investment, but there are other pressing areas to consider as well. Invest in the Future of Digital Forensics, especially in light of further inclusion of cloud, BYOD and IoT related devices. Get Ready for Changes in Network Monitoring asRead more.

Use Sysmon DNS data for incident response

Recent versions of Sysmon support the logging of DNS queries. This is done via event ID 22 in Applications and Services Log > Microsoft > Windows > Sysmon Operational.

To enable DNS logging, you need to include the section DnsQuery in your Sysmon configuration file. For example via

Note that enabling DNS queries can be noisy. It’s best to apply filtering as proposed by the SwiftOnSecurity sysmon config file and, additionally, filter out the commonlyRead more.

Improve Your Detection Capabilities With Cyber Simulation Datasets

I published an article on the IBM SecurityIntelligence blog on how to Improve Your Detection Capabilities With Cyber Simulation Datasets

The post describes how you can develop a strategy for testing and improving your existing detection capabilities. It starts with the traditional testing strategies as paper tests and tabletop exercises. The bulk of the article covers cyber simulation datasets, including network based data sets, host based datasets and system and application logs. The final partRead more.

BelgoMISP Meeting 0x01 : Belgian MISP User Group Meeting

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?

There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.

Measure and Improve the Maturity of Your Incident Response Team

I published an article on the IBM SecurityIntelligence blog on how to Measure and Improve the Maturity of Your Incident Response Team

The post describes how you can create an incident response development plan and which proven frameworks exist to assist you with this. I then provide more details on the NIST and the Global CSIRT Maturity framework. The latter, which is based on SIM3 and the ENISA three-tier approach, is then covered in moreRead more.

How PR Teams Can Prepare for Data Breach Risks With Incident Response Planning

I published an article on the IBM SecurityIntelligence blog on How PR Teams Can Prepare for Data Breach Risks With Incident Response Planning

The post describes how you can take control of the incident response communication, how to prepare for incidents by identifying your stakeholders and preparing communication templates and which tooling is available for communication during a security incident.

Use PyMISP to track false positives and disable to_ids in MISP

Attributes in MISP have a boolean flag to_ids allowing you to indicate if an attribute should be used for detection or correlation actions. According to the MISP core format data standard, the to_ids flag represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.

Unfortunately attributes markedRead more.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.

How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

I published an article on the IBM SecurityIntelligence blog on How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

The post has a very brief introduction to Remote Desktop Protocol and what caused the BlueKeep vulnerability. I then cover how to protect against blueKeep, which measures you can take to be prepared for the regular patch Tuesday and which tools and techniques are available to keep track of your (vulnerable) assets.

Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

I published an article on the IBM SecurityIntelligence blog on Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

The post has a very brief introduction to HTTPS and the flaws in the certificate validation process. I then cover solutions to the problem by publishing certificates in DNS via DANE, DNS-based Authentication of Named Entities. DANE is a protocol that uses DNSSEC and that can enhance the security of your email (transport).