Hello again! This week, while I'm putting together issue 11, the weather is perfect for reading the new second edition of Intelligence-Driven Incident Response. Will try to review it on the blog in the next few months.
Thanks for reading,
Matthew Conway (@mattreduce)
Docker Botnets - A collection of code from botnets specifically targeting Docker, starting in 2018 and still maintained today. You can use this as a corpus for validating YARA rules, for watching the evolution of some of the most shoddily-written but omnipresent malware, and for gleaning insights like shell tricks and infrastructure preferences. Enjoy!
GitHub - Social engineering campaign targets technology industry employees #alert #phishing #DPRK
Talos - Implementing an ISO-compliant threat intelligence program #program #compliance
Tony Lambert - Faster Malware Triage with YARA #malwareanalysis #tooling #YARA
Tidal Cyber - The Infostealer Landscape & Rising Infostealer Threats to Businesses #analysis #strategic #stealers
Will Thomas - Threat Actor Profile Guide for CTI Analysts #howto #production #threats
Maltego - How to Conduct Person of Interest Investigations Using OSINT and Maltego #howto #OSINT #investigation
Ben Nimmo, Eric Hutchins - Phase-based Tactical Analysis of Online Operations #frameworks #IO #disinfo
HTTP Headers Hashing (HHHash)
New web server fingerprinting tool that generates an identifying hash based on HTTP response headers.
A minimalist, self-hosted RSS feed reader. Simple to run via a single Go executable and a PostgreSQL database using Docker. Includes an API and both Go and Python SDKs, full-text search, Readability content parser, is Fever/Google Reader API-compatible, supports OIDC auth. It really impressed me!
Given STIX Observed Data, this Python tool will determine if it matches a given STIX Indicator—like an Email Message with a certain sender and subject.
Python CLI and library for validating STIX 2.1 Indicator Patterns.
Vertex Synapse Power-Up that enables you to submit
file:bytes nodes to the Recorded Future Triage malware sandbox for static and dynamic analysis.
New Google Chrome browser extension from Bellingcat, for setting a consistent timezone across multiple social networking sites to aid in correlation.
When modeling attack infrastructure using STIX 2.1, you should use Infrastructure objects to represent resources like command and control (C2), email, or phishing servers, and botnets. Then you can relate your Infrastructure objects to other kinds like Malware through descriptive relationship types including
delivers, and relate to Observables like Domain Names and IPv4 Addresses via
consists-of relationships. Read the STIX Best Practices Guide for more details.
Underground Economy Conference 2023
📍 Prague, CZ
📊 Conference Sep 4-7
🏢 Prague Congress Center
🔗 Conference https://www.team-cymru.com/ue2023
SANS OSINT Summit 2023
📍 Online (EDT timezone)
📊 Conference Sep 22
🔗 Conference https://www.sans.org/cyber-security-training-events/osint-summit-2023/
hack.lu and CTI Summit
📍 Dommeldange, Luxembourg City, LU
📊 CTI Summit Oct 16-17
📊 Hack.lu Oct 18-19
🏢 Alvisse Parc Hotel
🔗 Conference https://hack.lu/
📍 McLean, VA, US & Virtual
📊 Conference Oct 24-25
🏢 MITRE campus, McLean, VA