How PR Teams Can Prepare for Data Breach Risks With Incident Response Planning

I published an article on the IBM SecurityIntelligence blog on How PR Teams Can Prepare for Data Breach Risks With Incident Response Planning

The post describes how you can take control of the incident response communication, how to prepare for incidents by identifying your stakeholders and preparing communication templates and which tooling is available for communication during a security incident.

Use PyMISP to track false positives and disable to_ids in MISP

Attributes in MISP have a boolean flag to_ids allowing you to indicate if an attribute should be used for detection or correlation actions. According to the MISP core format data standard, the to_ids flag represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.

Unfortunately attributes markedRead more.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.

How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

I published an article on the IBM SecurityIntelligence blog on How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

The post has a very brief introduction to Remote Desktop Protocol and what caused the BlueKeep vulnerability. I then cover how to protect against blueKeep, which measures you can take to be prepared for the regular patch Tuesday and which tools and techniques are available to keep track of your (vulnerable) assets.

Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

I published an article on the IBM SecurityIntelligence blog on Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

The post has a very brief introduction to HTTPS and the flaws in the certificate validation process. I then cover solutions to the problem by publishing certificates in DNS via DANE, DNS-based Authentication of Named Entities. DANE is a protocol that uses DNSSEC and that can enhance the security of your email (transport).

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.

Submit malware samples to VMRay via MISP – Automation

End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.

One of the drawbacks of the module was that it required a two step approach : firstRead more.

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

I published an article on the IBM SecurityIntelligence blog on Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

The post has a very brief introduction to HTTPS and TLS/SS, takes a look at the ‘black market’ for TLS/SSL certificates and concludes with some protection measures that you can take.

Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security

I published an article on the IBM SecurityIntelligence blog on Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security. The post gives some insights on DNS Extension mechanisms, Backward Compatibility and DNS Flag Day and which steps you need to take to be (and remain) ready for DNS Flag Day. I also includes an introduction on other DNS features as DNS cookies and DNSSEC.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

I published an article on the IBM SecurityIntelligence blog on Breaking Down the Incident Notification Requirements in the EU’s NIS Directive. The posts focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).