Sources & Methods Newsletter #11 - August 2023
Hello again! This week, while I'm putting together issue 11, the weather is perfect for reading the new second edition of Intelligence-Driven Incident Response. Will try to review it on the blog in the next few months.
Thanks for reading,
Matthew Conway (@mattreduce)
π Sources
Docker Botnets - A collection of code from botnets specifically targeting Docker, starting in 2018 and still maintained today. You can use this as a corpus for validating YARA rules, for watching the evolution of some of the most shoddily-written but omnipresent malware, and for gleaning insights like shell tricks and infrastructure preferences. Enjoy!
π° Articles
GitHub - Social engineering campaign targets technology industry employees #alert #phishing #DPRK
Talos - Implementing an ISO-compliant threat intelligence program #program #compliance
Tony Lambert - Faster Malware Triage with YARA #malwareanalysis #tooling #YARA
Tidal Cyber - The Infostealer Landscape & Rising Infostealer Threats to Businesses #analysis #strategic #stealers
Will Thomas - Threat Actor Profile Guide for CTI Analysts #howto #production #threats
Maltego - How to Conduct Person of Interest Investigations Using OSINT and Maltego #howto #OSINT #investigation
Ben Nimmo, Eric Hutchins - Phase-based Tactical Analysis of Online Operations #frameworks #IO #disinfo
π Tools
HTTP Headers Hashing (HHHash)
New web server fingerprinting tool that generates an identifying hash based on HTTP response headers.
Miniflux 2
A minimalist, self-hosted RSS feed reader. Simple to run via a single Go executable and a PostgreSQL database using Docker. Includes an API and both Go and Python SDKs, full-text search, Readability content parser, is Fever/Google Reader API-compatible, supports OIDC auth. It really impressed me!
cti-pattern-matcher
github.com/oasis-open/cti-pattern-matcher
Given STIX Observed Data, this Python tool will determine if it matches a given STIX Indicatorβlike an Email Message with a certain sender and subject.
cti-pattern-validator
github.com/oasis-open/cti-pattern-validator
Python CLI and library for validating STIX 2.1 Indicator Patterns.
synapse-triage
github.com/captainGeech42/synapse-triage
Vertex Synapse Power-Up that enables you to submit file:bytes nodes to the Recorded Future Triage malware sandbox for static and dynamic analysis.
uniform-timezone
github.com/bellingcat/uniform-timezone
New Google Chrome browser extension from Bellingcat, for setting a consistent timezone across multiple social networking sites to aid in correlation.
π‘ Tip
When modeling attack infrastructure using STIX 2.1, you should use Infrastructure objects to represent resources like command and control (C2), email, or phishing servers, and botnets. Then you can relate your Infrastructure objects to other kinds like Malware through descriptive relationship types including controls or delivers, and relate to Observables like Domain Names and IPv4 Addresses via consists-of relationships. Read the STIX Best Practices Guide for more details.
π Events
Underground Economy Conference 2023
π Prague, CZ
π Conference Sep 4-7
π’ Prague Congress Center
π Conference https://www.team-cymru.com/ue2023
SANS OSINT Summit 2023
π Online (EDT timezone)
π Conference Sep 22
π Conference https://www.sans.org/cyber-security-training-events/osint-summit-2023/
hack.lu and CTI Summit
π Dommeldange, Luxembourg City, LU
π CTI Summit Oct 16-17
π Hack.lu Oct 18-19
π’ Alvisse Parc Hotel
π Conference https://hack.lu/
ATT&CKcon 4.0
π McLean, VA, US & Virtual
π Conference Oct 24-25
π’ MITRE campus, McLean, VA
π https://www.mitre.org/events/attckcon-40
Member discussion