MISP Galaxies and Clusters The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster. Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK) technique. They can also be used to describe similarities between different tools. A visual representation of relations make it ..read more

MISP Objects I published an article on the blog of the MISP project on how to create your own custom object: Creating a MISP Object, 101. This is a follow-up to a previous post on how to create your own MISP galaxy or MISP cluster (Creating a MISP Galaxy, 101 ..read more

MISP and REST API MISP includes a powerful REST API that allows you to automate the dissemination of threat intelligence and threat data. If you aren’t familiar with the API you can explore its features (and the inline documentation) via Event Actions, REST client. In the latest versions of MISP the REST API client supports autocompletion, which is useful if you want to search for events or attributes with specific tags. And these tags are the vocabularies that we use to classify events and attributes. Events and attributes One thing that is sometimes confusing is the difference in results ..read more

I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes. I propose 5 steps to prevent false positives, including Prevent false positives from being added to threat intel report Notify analysts on likelihood of false positives in threat intel reports Report sightings, observables and false positives Inform analysts about sightings Disable the indicator to streamline cyber threat intel ..read more

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general? There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter ..read more

Honeypots I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender. The core tool that I will be using is MISP and its feed system to support generating DNS RPZ zones. MISP Feeds MISP integrates a functionality called feeds that allows you to ..read more

Sightings MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators). There is not immediately an option within MISP to sync sightings between instances.You can sync sightings on publishing an event but besides the mentioning in Issue 1704 I could not immediately find an option for syncing. Under the hood, the sightings ..read more

Another day, another phishing website. This time again a phishing site with directory listing enabled. This phishing websites targets customers of the Belgian bank Beobank. The link to the site gets delivered via e-mail, claiming to come from the webmaster with an important security message. This is how the phishing website looks like: Moving up a few directories allows us to download the ZIP file containing the phishing code. There are 5 files included. The phishing URL in the e-mail points to wess.html. Note that the index.html file mimics a “login” URL, redirecting the user to wess.html ..read more

VPNFilter Cisco Talos published an analysis on the new VPNFilter malware that targets at least 500K networking devices worldwide. The post describes how the stage 1 of the malware extracts IP coordinates from the GPS latitude and longitude fields in the EXIF information of images. A post by Kaspersky further analysed the VPNFilter EXIF to C2 mechanism. Unfortunately all the photobucket.com galleries that were used by the malware as storage for the images have been deleted. But one hardcoded domain, toknowall[.]com, was still available and, surprisingly enough, was still serving the images that ..read more

Twitter Open Source Intelligence Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch. Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output. I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) for a penetration test. For automated campaigns it would be easier if Tinfoleak can export to ..read more