I published the following diary on isc.sans.edu: “Tracking Unexpected DNS Changes”: DNS is a key element of the Internet and, regularly, we read new bad stories. One of the last one was the Department of Homeland Security warning about recent DNS hijacking attacks. Indeed, when you want to visit the website ‘isc.sans.org’, you
I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
I published the following diary on isc.sans.edu: “Hunting for Suspicious Processes with OSSEC“: Here is a quick example of how OSSEC can be helpful to perform threat hunting. OSSEC is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the
I’m proud to have been selected to give a training at DeepSec (Vienna, Austria) in November: “Hunting with OSSEC“. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.
I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play
I published the following diary on isc.sans.org: “Detecting Undisclosed Vulnerabilities with Security Tools & Features“. I’m a big fan of OSSEC. This tools is an open source HIDS and log management tool. Although often considered as the “SIEM of the poor”, it integrates a lot of interesting features and is fully configurable
[This blogpost has also been published as a guest diary on isc.sans.org] When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let’s take an example with a WordPress blog. It will,
The SSL and TLS protocols have been on the front of the stage for months. Besides many vulnerabilities disclosed in the OpenSSL library, the deployment of SSL and TLS is not always easy. They are weak cyphers (like RC4), weak signatures, certificates issues (self-signed, expiration or fake ones). Other useful features are mis-understood
Just a link to my guest diary posted today on isc.sans.edu. I briefly introduced a method to perform permanent vulnerability scanning of newly detected hosts. The solution is based on OSSEC, ArpWatch and Nmap. The article is here.
For a while, malwares are in front of the security stage and the situation is unlikely to change in the coming months. When I give presentations about malwares, I always like to report two interesting statistics in my slides. They come from the 2012 Verizon DBIR: In 66% of investigated incidents,