MISP vs OpenCTI: An Overview
Open-source intelligence (OSINT) platforms like MISP and OpenCTI are designed to help organizations collect, analyze, and share threat intelligence data. These platforms offer a range of features and capabilities, but there are significant differences between them. In this article, we’ll explore the differences between MISP and OpenCTI, so you can make an informed decision about which platform is right for your organization. MISP: MISP…Continue Reading
Are Free Antivirus Programs Enough?
According to a recent study, 61 percent of Americans rely on free antivirus programs to protect their devices from malware and other online threats. While this may seem like a cost-effective solution, it can actually leave individuals vulnerable to cyber attacks. Free antivirus programs offer basic protection against viruses, but they often lack the advanced features and updates necessary to keep up with rapidly…Continue Reading
To Pay or Not to Pay: Debating Ransomware Payments
Ransomware attacks are a growing threat to organizations around the world, with cybercriminals using increasingly sophisticated tactics to infiltrate computer systems and hold valuable data hostage. In the aftermath of an attack, businesses and organizations are often left with a difficult decision: should they pay the ransom demanded by the hackers to regain access to their data? This question has sparked intense debate among…Continue Reading
What to Know About Dark Web Search Engines
The Dark Web is a section of the internet that is not indexed by regular search engines like Google, Bing, or Yahoo. It is a part of the internet that is not easily accessible and is used by individuals who want to remain anonymous. The Dark Web is notorious for illegal activities such as drug trafficking, human trafficking, and the sale of illegal goods…Continue Reading
Virustotal Adds Mandiant’s CAPA and GoReSym Capabilities
Virustotal is the biggest community for sharing/learning malicious files platform. It aggregates many antivirus and scan engines and allows users to check a file is malicious or not according to tens of antivirus products and scan engines. Google acquired Virustotal in 2012 and Mandiant last year. While waiting eagerly about the integration of Google and Mandiant solutions, Virustotal announced that they increased Virustotal’s capabilities…Continue Reading
Are You Ready for EOS of Win Server 2012?
Microsoft is ending its support of Windows Server 2012 R2 on 10th of October 2023. Its official EOS date was 9th of October 2018 but 2023 will also be the extended EOS date. Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers. As we remember from past experiences, big decisions like…Continue Reading
Beware of Fake/Malicious CVE PoCs
In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities. The discovery is including vulnerabilities discovered between 2017 and 2021.…Continue Reading
A Glimpse into AI and the SOCs of the Future
About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty…Continue Reading
Still Have 445 Port Open to Internet?
CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the…Continue Reading
Parrot is Used to Conduct Malicious Campaigns
Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites. The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications. Parrot TDS acts as a gateway for…Continue Reading
Everything About Attack Surface Management
For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them. Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.…Continue Reading
Biggest Insider Threat – Lapsus$ Job Advertisement
A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day. Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain…Continue Reading
Conti CVEs Leaked
On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account. Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some…Continue Reading
CTI does not mean Fraud Detection
Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on…Continue Reading
Image Reverse Search
With the growth of social media usage, fake news and social media scams are growing too. For many reasons, we need to correct the posts before we believe and/or share them. Image reverse shell is an OSINT technique, very important because of these social media and news scams and as easy as it is important. To see if the news is true, one of…Continue Reading
DFIR Problems in the Cloud
As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more. From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to…Continue Reading
Threat Hunting III – Pyramid of Pain
As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them. The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube…Continue Reading
Zone Identifier Commands
With Zone Identifier, we can say whether a file downloaded from internet or not. A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and…Continue Reading
Searching for IoC with Redline
Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline. In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example. We will go on with “Create…Continue Reading
Data Collection with Redline
As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline. First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we…Continue Reading
Creating IoCs with Mandiant IOCe
In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats. Viewing Existing IoCs In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs…Continue Reading
Open Threat Exchange
Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information. When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section. Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat…Continue Reading
Threat Hunting II – Recommendations
An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting. Knowledge of Topology and Environment The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should…Continue Reading
Threat Hunting I – Understanding Threat Hunting
Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively…Continue Reading
Incident Handling and Response to Insider Threats
Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky. Attacks may come from different type of employees. These attackers may be system admins or…Continue Reading
Product Review: Cyber AI Analyst
Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it. For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams,…Continue Reading
XSS Detection and Prevention
XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc. XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected…Continue Reading
Data Carving with Foremost
Foremost is a valuable tool for Linux Forensics. It is a console tool and you can recover files based on their different properties. This is basicly data carving process. Foremost can work on image files that created by Safeback, Encase, and dd. As a part of forensic analysis, data carving must be understood. It is a forensic technique of reassembling files from the raw…Continue Reading
System Analysis with Process Explorer
Computer forensics is a set of methodological techniques to gather, identify and present evidence from digital equipment. There are many different techniques required. One of them is getting the system information. Process Explorer is a tool helping you to get system information from any Windows machine. Process Explorer (procexp64.exe) is a SysInternals tool that can be downloaded from internet. Once you run the tool,…Continue Reading