MISP vs OpenCTI: An Overview

Open-source intelligence (OSINT) platforms like MISP and OpenCTI are designed to help organizations collect, analyze, and share threat intelligence data. These platforms offer a range of features and capabilities, but there are significant differences between them. In this article, we’ll explore the differences between MISP and OpenCTI, so you can make an informed decision about which platform is right for your organization. MISP: MISP…Continue Reading

Are Free Antivirus Programs Enough?

According to a recent study, 61 percent of Americans rely on free antivirus programs to protect their devices from malware and other online threats. While this may seem like a cost-effective solution, it can actually leave individuals vulnerable to cyber attacks. Free antivirus programs offer basic protection against viruses, but they often lack the advanced features and updates necessary to keep up with rapidly…Continue Reading

To Pay or Not to Pay: Debating Ransomware Payments

Ransomware attacks are a growing threat to organizations around the world, with cybercriminals using increasingly sophisticated tactics to infiltrate computer systems and hold valuable data hostage. In the aftermath of an attack, businesses and organizations are often left with a difficult decision: should they pay the ransom demanded by the hackers to regain access to their data? This question has sparked intense debate among…Continue Reading

What to Know About Dark Web Search Engines

The Dark Web is a section of the internet that is not indexed by regular search engines like Google, Bing, or Yahoo. It is a part of the internet that is not easily accessible and is used by individuals who want to remain anonymous. The Dark Web is notorious for illegal activities such as drug trafficking, human trafficking, and the sale of illegal goods…Continue Reading

Virustotal Adds Mandiant’s CAPA and GoReSym Capabilities

Virustotal is the biggest community for sharing/learning malicious files platform. It aggregates many antivirus and scan engines and allows users to check a file is malicious or not according to tens of antivirus products and scan engines. Google acquired Virustotal in 2012 and Mandiant last year. While waiting eagerly about the integration of Google and Mandiant solutions, Virustotal announced that they increased Virustotal’s capabilities…Continue Reading

Are You Ready for EOS of Win Server 2012?

Microsoft is ending its support of Windows Server 2012 R2 on 10th of October 2023. Its official EOS date was 9th of October 2018 but 2023 will also be the extended EOS date. Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers. As we remember from past experiences, big decisions like…Continue Reading

Beware of Fake/Malicious CVE PoCs

In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities. The discovery is including vulnerabilities discovered between 2017 and 2021.…Continue Reading

A Glimpse into AI and the SOCs of the Future

About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty…Continue Reading

Still Have 445 Port Open to Internet?

CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the…Continue Reading

Parrot is Used to Conduct Malicious Campaigns

Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites. The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications. Parrot TDS acts as a gateway for…Continue Reading

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them. Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.…Continue Reading

Biggest Insider Threat – Lapsus$ Job Advertisement

A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day. Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain…Continue Reading

Conti CVEs Leaked

On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account. Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some…Continue Reading

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on…Continue Reading

Image Reverse Search

With the growth of social media usage, fake news and social media scams are growing too. For many reasons, we need to correct the posts before we believe and/or share them. Image reverse shell is an OSINT technique, very important because of these social media and news scams and as easy as it is important. To see if the news is true, one of…Continue Reading

DFIR Problems in the Cloud

As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more. From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to…Continue Reading

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them. The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube…Continue Reading

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not. A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and…Continue Reading

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline. In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example. We will go on with “Create…Continue Reading

Data Collection with Redline

As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline. First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we…Continue Reading

Creating IoCs with Mandiant IOCe

In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats. Viewing Existing IoCs In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs…Continue Reading

Open Threat Exchange

Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information. When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section. Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat…Continue Reading

Threat Hunting II – Recommendations

An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting. Knowledge of Topology and Environment The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should…Continue Reading

Threat Hunting I – Understanding Threat Hunting

Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively…Continue Reading

Incident Handling and Response to Insider Threats

Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky. Attacks may come from different type of employees. These attackers may be system admins or…Continue Reading

Product Review: Cyber AI Analyst

Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it. For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams,…Continue Reading

XSS Detection and Prevention

XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc. XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected…Continue Reading

Data Carving with Foremost

Foremost is a valuable tool for Linux Forensics. It is a console tool and you can recover files based on their different properties. This is basicly data carving process. Foremost can work on image files that created by Safeback, Encase, and dd. As a part of forensic analysis, data carving must be understood. It is a forensic technique of reassembling files from the raw…Continue Reading

System Analysis with Process Explorer

Computer forensics is a set of methodological techniques to gather, identify and present evidence from digital equipment. There are many different techniques required. One of them is getting the system information. Process Explorer is a tool helping you to get system information from any Windows machine. Process Explorer (procexp64.exe) is a SysInternals tool that can be downloaded from internet. Once you run the tool,…Continue Reading