I published the following diary on isc.sans.org: “Comment your Packet Captures!“: When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no â€œbestâ€ way to take notes, some people use electronic solutions while others are using good
Category: Incident Management
[SANS ISC] Investigating Security Incidents with Passive DNS
I published the following diary on isc.sans.org: “Investigating Security Incidents with Passive DNS“. Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that youâ€™re trying to reach has already been cleaned. We cannot blame system administrators and
FIRST TC Amsterdam 2017 Wrap-Up
Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is an organization helping in incident response as stated on their website: FIRST is a premier organization and recognized global leader in incident response. Membership
[SANS ISC Diary] Full Packet Capture for Dummies
I published the following diary on isc.sans.org: “Full Packet Capture for Dummies” When a security incident occurred and must be investigated, the Incident Handler’s Holy Grail is a network capture file. It contains all communications between the hosts on the network. These metadata are already in goldmine: source and destination
Incident Handling with Docker Containers
Honestly, I never really played with DockerÂ but…Â For a few weeks, I succumbed to the temptation of playing withÂ Docker thanks to a friend who’s putting everything in docker containers. If you still don’t know Docker, here is a very brief introduction: Docker lets you run applications in a “container“. In this
Email Tracking for Dummies
Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Letâ€™s imagineÂ a first scenario: Alice sends a mail to Bob. Bob reads Aliceâ€™s email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging solutions.
Sending Windows Event Logs to Logstash
This topic is not brand new, there exists plenty of solutions to forwardÂ Windows event logs to Logstash (OSSEC,Â Snare or NXlogÂ amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
When Security Makes Users Asleep!
It’s a fact, in industries or on building sites, professional people make mistakes or, worse,Â getÂ injured. Why? Because their attention is reduced at a certain point. When you’re doing the same job all dayÂ long, you get tired and lack of concentration. The same can apply in information security! For a long
Building IP Reputation Lists from Snort Rules
We are already in 2014 for a few days and this is my first blog post for this year! So, let me wish you a wonderful 2014 for you and you family! Let’s start with a quick post about building IP addresses reputation list. This topic was discussed on a
WordPress GET Requests Flood?
Let me share this story with you. I faced a strange incident last Saturday. My web server was flooded with thousands of GET HTTP requests generated by WordPress blogs. Those connections apparently seemed legit. The “attack“, let’s call it like this in a first time even if I don’t think