Sources & Methods Newsletter #12 - September 2023
I'm glad to share issue 12, representing a year of the Sources & Methods monthly newsletter. Starting this month, each issue may now include embedded videos and podcast episodes in addition to articles, in a section I've renamed to Information. This issue is also packed with even more knowledge and tools—including an article from Sources & Methods—to celebrate the occasion.
Here's to the next year and beyond!
Matthew Conway (@mattreduce)
📁 Sources
PublicWWW - Search the source code of public websites when pivoting, hunting, and collecting OSINT.
📰 Information
Microsoft - Results of Major Technical Investigations for Storm-0558 Key Acquisition #intrusion #analysis #Storm-0558
Joe Slowik - Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment #risk #vulnmgmt #0days
Scott Roberts - Burnt TIPs #tooling
US CISA - Review Of The Attacks Associated with Lapsus$ And Related Threat Groups #threatgroup #report #Lapsus$
BushidoToken - Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms #stealer #infrastructure #analysis
Vertex Project - Using Mobile Phone Telemetry to Track a Diplomat #GEOINT #analysis #tooling
DFIR Report - ShareFinder: How Threat Actors Discover File Shares #analysis #windows #powershell
Team Cymru - Darth Vidar: The Aesir Strike Back #operational #analysis #infrastructure #stealers
Janes - Applying analytic tradecraft to OSINT #tradecraft #analysis #OSINT
MITRE - Elevate your threat intel reports with CTI Blueprints #reporting #templates
Sources & Methods - How I Make Sources & Methods Newsletter #SRCMTD #ICYMI
🛠 Tools
CU-GIR
Intel471 shared their Cyber Underground General Intelligence Requirements (CU-GIRs) as a STIX Bundle on GitHub.
attackgen
An interesting use of LLM to augment analysts' work, attackgen combines MITRE ATT&CK framework content with your organizational context to generate realistic attack scenarios and a list of TTPs.
greynoiselabs
github.com/GreyNoise-Intelligence/greynoiselabs
Python CLI and library for interacting with GreyNoise's experimental Labs APIs.
SynSharp
github.com/ancailliau/SynSharp
A new client for Vertex Synapse written in C#, which already supports a range of Forms and Types.
chepy
Python CLI and library multi-tool in the style of CyberChef—once you build a recipe of processing tasks, you can script its execution, and even process executables.
csvmatch
Python CLI tool for finding loosely matching records between separate CSV datasets, supports multiple well described similarity algorithms.
💡 Tip
Continuing on the theme of STIX best practices from last month, I wanted to share a tip regarding labels. According to the STIX™ Best Practices Guide, you shouldn't use labels to represent facts and assertions that can already be expressed using STIX Objects, Relationships, and their properties.
To give you an example: Tools can have multiple types (taken from the tool-type-ov open vocabulary, which you can extend with your own types). So you don't need to use a label like purpose:scanner when you can set tool_types to ["vulnerability-scanning"]. Hope this helps!
📆 Events
SANS OSINT Summit 2023
📍 Online (EDT timezone)
📊 Conference Sep 22
🔗 https://www.sans.org/cyber-security-training-events/osint-summit-2023/
hack.lu and CTI Summit
📍 Dommeldange, Luxembourg City, LU
📊 CTI Summit Oct 16-17
📊 Hack.lu Oct 18-19
🏢 Alvisse Parc Hotel
🔗 https://hack.lu/
ATT&CKcon 4.0
📍 McLean, VA, US & Virtual
📊 Conference Oct 24-25
🏢 MITRE campus
🔗 https://www.mitre.org/events/attckcon-40
CYBERWARCON
📍 Arlington, VA, US
📊 Conference Nov 9
🏢 Hyatt Regency Crystal City
🔗 https://www.cyberwarcon.com/
Member discussion