Today, I published the following diary on isc.sans.edu: “The Importance of Malware Triage“: When dealing with malware analysis, you like to get “fresh meat”. Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really
I published the following diary on isc.sans.edu: “Clean Binaries with Suspicious Behaviour“: EDR or “Endpoint Detection & Response” is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in
I published the following diary on isc.sans.edu: “Suspicious Endpoint Containment with OSSEC“: When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections. To place the device into a restricted environment is definitively better than powering off the system
I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications,
I published the following diary on isc.sans.edu: “Collecting IOCs from IMAP Folder“: I’ve plenty of subscriptions to “cyber security” mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that’s a fact: email remains a key communication channel. Some mailing lists posts contain
Bad guys are always trying to use “exotic” file extensions to deliver their malicious payloads. If common dangerous extensions are often blocked by mail security gateways, there exists plenty of less common extensions. These days, with the COVID19 pandemic, we are facing a peak of phishing and scams trying to
I published the following diary on isc.sans.org: “Exploiting the Power of Curl“: Didier explained in a recent diary that it is possible to analyze malicious documents with standard Linux tools. I’m using Linux for more than 20 years and, regularly, I find new commands or new switches that help me
I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play
During the last edition of the Troopers security conference in March, I attended a talk about “JustMetaData”. It’s a tool developed by Chris Truncer to perform open source intelligence against IP addresses. Since then, I used this tool on a regular basis. Often when you’re using a tool, you have ideas to improve
MISP (“Malware Information Sharing Platform“) is a free software which was initially created by the Belgian Defence to exchange IOC’s with partners like the NCIRC (NATO). Today it became an independent project and is mainly developed by a group of motivated people. MISP is mainly used by CERT’s (“Computer Emergency Response
