For a future project I was looking into ways of deploying (and deleting) instances of MISP on a regular basis. Instead of manually installing MISP, I wanted the deployment and the configuration automated and based on simple configuration files. This is called “infrastructure as code”, typically addressed by CI/CD (Continuous Integration, Continuous Development). To throw in other popular terminology “DevOps” could support me in provisioning (and deploying) the infrastructure that is going to be used … Read more.
VMware ESXi with support for NUC-11 network interface
The Intel NUC Mini PCs are great mini computers to run VMware ESXi. Unfortunately, the image of VMware ESXi 7 doesn’t support the network drivers of the NUC 11th generation. A post on https://www.virten.net/2021/11/vmware-esxi-7-0-update-3-on-intel-nuc/ describes how to create a new image, with support for the network driver. I put this post here primarily as a personal reminder.
The image is build with VMware PowerCLI.
Now download the ESXi offline image and the network driver. Then … Read more.
MISP and Threat Intelligence
I shared a presentation with a high-level overview of Threat Intelligence and MISP on the MISP Presentation Github repository.
Have a look at MISP/MISP-presentations 2021. The deck also includes one slide for using MISP in an industrial / ICS environment. Both PPTX and PDF versions are shared.
Interactive usage of MISP
The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.
First start Python from the virtual environment.
Then load the libraries and set some variables.
Now you can use the misp variable to interact with MISP.
For example to … Read more.
COVID-19 Blocklists
A lot of good initiatives popped up recently to combat malicious activity related to the Corona pandemic.
A MISP instance for tracking COVID-19 activity; A list of domains which provides legitimate COVID-19 services; The Slack channel of COVID19 Cyber Threat Coalition; The COVID-19 CTI League; Public MISP feed by DCSO; And a feed by 1984.sh; Threat reports by RiskIQ; A COVID-19 threat list by domaintools; The COVID-19 domain classifier by SANS; A MISP warning list … Read more.
Integrating MISP and Cytomic Orion
Cytomic Orion is a solution for Threat Hunting & Incident Response, that speeds up the process of identification, investigation, containment, and remediation of cyber threats & insiders using Living-off-the-Land techniques to evade existing controls (Reduce the MTTD & MTTR). The Cytomic Orion API allows you to integrate it with other tools, one of those tools is MISP.
The integration with Cytomic Orion allows you to achieve two main goals :
Query the Cytomic Orion API, … Read more.
Iranian threat groups
In light of recent developments it would be a good idea to sketch a picture of the known Iranian threat groups. I used the information made available by MITRE ATT&CK.
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access … Read more.
Generating MISP data statistical reports
The MISP API includes a couple of features that you can use to report on the type of data stored in the database. For example the User statistics or Attribute statistics give a pretty good overview. Unfortunately, as of now it’s not possible to limit the output of these functions to a specific timeframe. For my use case I’d like to report on the MISP data statistics for the last month. The information that I … Read more.
RDP logs and incident response
Remote desktop protocol (RDP) is designed by Microsoft for remote management of Windows-based virtual desktops. It provides users a graphical interface to connect over the network to a remote computer. Having a remote access feature leaves the door open for attackers.
I’ll use this post to summarise some of the information and commands that I use when investigating an RDP incident.
Note that RDP connections are usually done via tcp/3389.
Investigating RDP goes best in … Read more.