Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

Latest posts

Extract hostnames and domains from DDoSia MISP object

DDoSia is a distributed denial-of-service (DDoS) attack tool reportedly employed by pro-Russian hacktivist groups. The tool coordinates large networks of compromised devices to flood targeted websites or services with excessive traffic, overwhelming their capacity and rendering them inaccessible to legitimate users. It has been used to disrupt government, financial, and media platforms, aiming to create instability and hinder critical infrastructure.

The DDoSia configuration, basically the instructions for the attack tool, have been shared via theRead more.

ENISA Threat Landscape 2024

I contributed to the ENISA Threat Landscape 2024.

The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.

Throughout the latter part of 2023 and the initial half of 2024, there was a notable escalation in cybersecurity attacks, setting new benchmarksRead more.

Using Threatview.io as example to add MISP feeds

This article demonstrates how to quickly add new MISP feeds, either to your own MISP server or as a contributor to the MISP project. I use the feeds from Threatview.io as an example. Threatview.io provides daily feeds on IPs, domains, URLs, and file hashes, as well as a C2 hunt feed.

MISP feeds are remote or local resources containing indicators that can be either imported into MISP or used for correlations without importing them intoRead more.

Presentation of MISP playbooks at the Jupyterthon

I did a presentation on the MISP playbooks at Jupyterthon. Have a look at the recording at https://www.youtube.com/watch?v=2lqbH1m9yKo&t=7193s

Don’t hesitate to provide your feedback on the playbooks, or suggest extra additions with the GitHub issue tracker.

Ivanti vulnerabilties – recap

Formerly known as Pulse Connect Secure, or simply Pulse Secure VPN software All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887 CVE-2023-46805 an authentication-bypass vulnerability with a CVSS score of 8.2 in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887 a command-injection vulnerability found intoRead more.

Current state of the MISP playbooks

I published an overview of the current state of the MISP playbooks, covering the work that has been done in 2023 and the features you can expect in 2024.

Activity 4: MISP workflow integration, Elasticsearch, MDTI and support for curation Activity 5: Timesketch, conversions with CACAO and Microsoft Sentinel Activity 6: Scheduled playbooks, timelines,

Read the full details at the MISP project website at https://www.misp-project.org/2023/12/08/current-state-MISP-playbooks.html/

MISP playbook: Malware triage

I shared the MISP playbook for malware triage that I regularly use for a first assessment on new samples. It uses MISP, VirusTotal, MalwareBazaar, Hashlookupand pefile. It then uploads the samples to MWDB and alerts to Mattermost.

The MISP playbook on malware triage is one of many playbooks that address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP.

ENISA Threat Landscape 2023

I contributed to the ENISA Threat Landscape 2023.

The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.

In the latter part of 2022 and the first half of 2023, the cybersecurity landscape witnessed a significant increase in both the varietyRead more.