2 min read

Sources & Methods Newsletter #12 - September 2023

I'm glad to share issue 12, representing a year of the Sources & Methods monthly newsletter. Starting this month, each issue may now include embedded videos and podcast episodes in addition to articles, in a section I've renamed to Information. This issue is also packed with even more knowledge and tools—including an article from Sources & Methods—to celebrate the occasion.

Here's to the next year and beyond!

Matthew Conway (@mattreduce)

📁 Sources

PublicWWW - Search the source code of public websites when pivoting, hunting, and collecting OSINT.

📰 Information

Microsoft - Results of Major Technical Investigations for Storm-0558 Key Acquisition #intrusion #analysis #Storm-0558

Joe Slowik - Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment #risk #vulnmgmt #0days

Scott Roberts - Burnt TIPs #tooling

US CISA - Review Of The Attacks Associated with Lapsus$ And Related Threat Groups #threatgroup #report #Lapsus$

BushidoToken - Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms #stealer #infrastructure #analysis

Vertex Project - Using Mobile Phone Telemetry to Track a Diplomat #GEOINT #analysis #tooling

DFIR Report - ShareFinder: How Threat Actors Discover File Shares #analysis #windows #powershell

Team Cymru - Darth Vidar: The Aesir Strike Back #operational #analysis #infrastructure #stealers

Janes - Applying analytic tradecraft to OSINT #tradecraft #analysis #OSINT

MITRE - Elevate your threat intel reports with CTI Blueprints #reporting #templates

Sources & Methods - How I Make Sources & Methods Newsletter #SRCMTD #ICYMI

🛠 Tools



Intel471 shared their Cyber Underground General Intelligence Requirements (CU-GIRs) as a STIX Bundle on GitHub.



An interesting use of LLM to augment analysts' work, attackgen combines MITRE ATT&CK framework content with your organizational context to generate realistic attack scenarios and a list of TTPs.



Python CLI and library for interacting with GreyNoise's experimental Labs APIs.



A new client for Vertex Synapse written in C#, which already supports a range of Forms and Types.



Python CLI and library multi-tool in the style of CyberChef—once you build a recipe of processing tasks, you can script its execution, and even process executables.



Python CLI tool for finding loosely matching records between separate CSV datasets, supports multiple well described similarity algorithms.

💡 Tip

Continuing on the theme of STIX best practices from last month, I wanted to share a tip regarding labels. According to the STIX™ Best Practices Guide, you shouldn't use labels to represent facts and assertions that can already be expressed using STIX Objects, Relationships, and their properties.

To give you an example: Tools can have multiple types (taken from the tool-type-ov open vocabulary, which you can extend with your own types). So you don't need to use a label like purpose:scanner when you can set tool_types to ["vulnerability-scanning"]. Hope this helps!

📆 Events

SANS OSINT Summit 2023

📍 Online (EDT timezone)
📊 Conference Sep 22
🔗 https://www.sans.org/cyber-security-training-events/osint-summit-2023/

hack.lu and CTI Summit

📍 Dommeldange, Luxembourg City, LU
📊 CTI Summit Oct 16-17
📊 Hack.lu Oct 18-19
🏢 Alvisse Parc Hotel
🔗 https://hack.lu/

ATT&CKcon 4.0

📍 McLean, VA, US & Virtual
📊 Conference Oct 24-25
🏢 MITRE campus
🔗 https://www.mitre.org/events/attckcon-40


📍 Arlington, VA, US
📊 Conference Nov 9
🏢 Hyatt Regency Crystal City
🔗 https://www.cyberwarcon.com/