I published an article about Data Breaches and the Importance of Account Protection and Incident Response on Security Intelligence.
Understanding Network Intrusions With The Cyber Kill Chain
I published an article on Understanding Network Intrusions With The Cyber Kill Chain on the Ipswitch blog.
The cyber kill chain is nothing new, in the article I give a very high-level overview of what the chain is and what defensive measures you can take against attacks that follow the cyber kill chain.
Malware scanning of web directories with OWASP WebMalwareScanner
One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).
One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked in … Read more.
Using Bro for building Passive DNS data
Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.
If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with information … Read more.
Use Certificate Transparency for OSINT and passive reconnaissance
SANS ISC recently posted an article on The Dark Side of Certificate Transparency.
Certificate transparency means that participating certificate authorities will publish all certificates that they issue in a log. This information is public, meaning that you can search it at will.
The article already touches one of the side effects of having this information publicly available. By publishing the information organizations can disclose hostnames they’d rather not be known on the internet.
There are … Read more.
Understanding the SPF and DKIM Spam Filtering Mechanisms
I published an article on the SPF and DKIM spam filtering mechanisms on IBM Security Intelligence : Understanding the SPF and DKIM Spam Filtering Mechanisms.
The article covers the basic details of these mechanisms but also explains some of the possible pitfalls for filtering spam with SPF and DKIM.
Using the Digital First Aid Kit for Incident Response
Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing
But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know that … Read more.
Exploring webshells on a WordPress site
I recently had to handle a case where a website development company was hacked. This post describes some of my findings during the investigation.
All of the company websites were hosted on one virtual server running Linux. Most of these websites were WordPress powered. The management of the server was done via DirectAdmin, updating of the web files happened via FTP.
The incident was brought to the attention of the company because they received complaints … Read more.
An Introduction To Exploit Kits
I published an introduction article on exploit kits on the blog at Ipswitch : An Introduction To Exploit Kits
.
The article covers why attackers use exploit kits, how they can select their targets, how users get infected through exploit kits and what you can do to improve your resilience against exploit kits.
Doing open source intelligence with SpiderFoot (part 2)
I did an earlier post on gathering open source intelligence with SpiderFoot. This post is a small update to incorporate the new version of Spiderfoot that was released recently.
A new version of Spiderfoot was recently released, including some extra modules. In my earlier post I described how I adjusted and added some modules. The new release of Spiderfoot contains part of my changes to the XForce module.
My initial change to Spiderfoot included a … Read more.
