CERTs have to provide their constituency early warnings and alerts about new threats.
A typical example is a new form of malware being distributed by e-mail. It takes a while before anti-virus vendors include the new signature to recognise the malware. This means that there’s a time window where the malware is not filtered and users in your constituency can get infected.
To protect your constituency you can provide them your own signature with indicators … Read more.
My first post on MISP described how to get MISP installed and get it up and running. This post describes how you can use MISP to your benefit to share threat information with your community.
The basic features of MISP are described in detail in the documentation at INSTALL/documentation.pdf. I’ll describe the steps needed to create an event and add some useful data.
You can add an event under Event actions, Add event. You’ll have … Read more.
MISP or Malware Information Sharing Platform & Threat Sharing is an open source tool for sharing malware and threat information with the security community. It is available on Github and is used by a large number of CERTs and security teams.
This first post describes how to get MISP installed and get it up and running. The next post describes how you can use MISP to your benefit to share threat information with your … Read more.
Computer security conferences are a great opportunity to exchange information with your peers and learn about new trends in the industry.
This is an overview of European security conferences and trainings that can be of use for CERTs. Note: Spending May in Amsterdam is a good idea!
NCSC One Conference April, 13-14, 2015 The Hague, The Netherlands Global Conference on CyberSpace 2015 April, 16-17, 2015 The Hague, The Netherlands Cyber Security Summit Industry&Gov April, 14-15, … Read more.
This is the third part in a post describing how to train your team for incident response and incident investigations.
The first part for training incident response and incident investigations covered how to analyze the e-mail headers and information in a suspicious e-mail. The second part analyzed the attachment which turned out to be a CryptoLocker.F variant.
The last step of my analysis involved executing the CryptoLocker virus in a fully networked VM. After resetting … Read more.
This is the second part in a post describing how to train your team for incident response and incident investigations.
The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.
The e-mail contained one attachment : koen.vanimpe@c.d.zip. Unzipping the file resulted in a .scr file.
The sha1 is
MD5 is
I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample. … Read more.
An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?
IOCs or … Read more.
Mark Burnett recently released a set of passwords with an announcement on his blog in the post Today I Am Releasing Ten Million Passwords.
I used Pipal in the past to analyze WordPress login attempts so I decided to run it against this set.
It is no surprise to see that the top password is 123456. The top two words used to build passwords are password and qwerty.
The average password length is between … Read more.
A colleague recently asked me “what encryption solution should I now use instead of TrueCrypt?”. After a couple of questions back-and-forth we defined the request to :
have a simple to use, reliable encryption system for individual containers on Windows platforms in a corporate environment
The containers have to be easy shareable with multiple users, preferably via a cloud storage provider.
Typically users share encrypted containers by emailing them or copying them to removable … Read more.
I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.
Installing bind is easy via the bind9 package :
This will add a new user ‘bind’ and store the configuration files in /etc/bind.
For this setup I … Read more.
Graphs made with cudeso posts stats
By continuing to use the site, you agree to the use of cookies. more information
An HTTP cookie, is a small piece of text sent from a website and stored in your web browser. Cookies are a reliable mechanism for websites to remember your preferences and improve your browsing experience.
If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.