2 min read

Sources & Methods Newsletter #11 - August 2023

Hello again! This week, while I'm putting together issue 11, the weather is perfect for reading the new second edition of Intelligence-Driven Incident Response. Will try to review it on the blog in the next few months.

Thanks for reading,

Matthew Conway (@mattreduce)

πŸ“ Sources

Docker Botnets - A collection of code from botnets specifically targeting Docker, starting in 2018 and still maintained today. You can use this as a corpus for validating YARA rules, for watching the evolution of some of the most shoddily-written but omnipresent malware, and for gleaning insights like shell tricks and infrastructure preferences. Enjoy!

πŸ“° Articles

GitHub - Social engineering campaign targets technology industry employees #alert #phishing #DPRK

Talos - Implementing an ISO-compliant threat intelligence program #program #compliance

Tony Lambert - Faster Malware Triage with YARA #malwareanalysis #tooling #YARA

Tidal Cyber - The Infostealer Landscape & Rising Infostealer Threats to Businesses #analysis #strategic #stealers

Will Thomas - Threat Actor Profile Guide for CTI Analysts #howto #production #threats

Maltego - How to Conduct Person of Interest Investigations Using OSINT and Maltego #howto #OSINT #investigation

Ben Nimmo, Eric Hutchins - Phase-based Tactical Analysis of Online Operations #frameworks #IO #disinfo

πŸ›  Tools

HTTP Headers Hashing (HHHash)


New web server fingerprinting tool that generates an identifying hash based on HTTP response headers.

Miniflux 2


A minimalist, self-hosted RSS feed reader. Simple to run via a single Go executable and a PostgreSQL database using Docker. Includes an API and both Go and Python SDKs, full-text search, Readability content parser, is Fever/Google Reader API-compatible, supports OIDC auth. It really impressed me!



Given STIX Observed Data, this Python tool will determine if it matches a given STIX Indicatorβ€”like an Email Message with a certain sender and subject.



Python CLI and library for validating STIX 2.1 Indicator Patterns.



Vertex Synapse Power-Up that enables you to submit file:bytes nodes to the Recorded Future Triage malware sandbox for static and dynamic analysis.



New Google Chrome browser extension from Bellingcat, for setting a consistent timezone across multiple social networking sites to aid in correlation.

πŸ’‘ Tip

When modeling attack infrastructure using STIX 2.1, you should use Infrastructure objects to represent resources like command and control (C2), email, or phishing servers, and botnets. Then you can relate your Infrastructure objects to other kinds like Malware through descriptive relationship types including controls or delivers, and relate to Observables like Domain Names and IPv4 Addresses via consists-of relationships. Read the STIX Best Practices Guide for more details.

πŸ“† Events

Underground Economy Conference 2023

πŸ“ Prague, CZ
πŸ“Š Conference Sep 4-7
🏒 Prague Congress Center
πŸ”— Conference https://www.team-cymru.com/ue2023

SANS OSINT Summit 2023

πŸ“ Online (EDT timezone)
πŸ“Š Conference Sep 22
πŸ”— Conference https://www.sans.org/cyber-security-training-events/osint-summit-2023/

hack.lu and CTI Summit

πŸ“ Dommeldange, Luxembourg City, LU
πŸ“Š CTI Summit Oct 16-17
πŸ“Š Hack.lu Oct 18-19
🏒 Alvisse Parc Hotel
πŸ”— Conference https://hack.lu/

ATT&CKcon 4.0

πŸ“ McLean, VA, US & Virtual
πŸ“Š Conference Oct 24-25
🏒 MITRE campus, McLean, VA
πŸ”— https://www.mitre.org/events/attckcon-40