I'm glad to share issue 12, representing a year of the Sources & Methods monthly newsletter. Starting this month, each issue may now include embedded videos and podcast episodes in addition to articles, in a section I've renamed to Information. This issue is also packed with even more knowledge and tools—including an article from Sources & Methods—to celebrate the occasion.
Here's to the next year and beyond!
Matthew Conway (@mattreduce)
PublicWWW - Search the source code of public websites when pivoting, hunting, and collecting OSINT.
Microsoft - Results of Major Technical Investigations for Storm-0558 Key Acquisition #intrusion #analysis #Storm-0558
Joe Slowik - Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment #risk #vulnmgmt #0days
Scott Roberts - Burnt TIPs #tooling
US CISA - Review Of The Attacks Associated with Lapsus$ And Related Threat Groups #threatgroup #report #Lapsus$
BushidoToken - Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms #stealer #infrastructure #analysis
Vertex Project - Using Mobile Phone Telemetry to Track a Diplomat #GEOINT #analysis #tooling
DFIR Report - ShareFinder: How Threat Actors Discover File Shares #analysis #windows #powershell
Team Cymru - Darth Vidar: The Aesir Strike Back #operational #analysis #infrastructure #stealers
Janes - Applying analytic tradecraft to OSINT #tradecraft #analysis #OSINT
MITRE - Elevate your threat intel reports with CTI Blueprints #reporting #templates
Sources & Methods - How I Make Sources & Methods Newsletter #SRCMTD #ICYMI
Intel471 shared their Cyber Underground General Intelligence Requirements (CU-GIRs) as a STIX Bundle on GitHub.
An interesting use of LLM to augment analysts' work,
attackgen combines MITRE ATT&CK framework content with your organizational context to generate realistic attack scenarios and a list of TTPs.
Python CLI and library for interacting with GreyNoise's experimental Labs APIs.
A new client for Vertex Synapse written in C#, which already supports a range of Forms and Types.
Python CLI and library multi-tool in the style of CyberChef—once you build a recipe of processing tasks, you can script its execution, and even process executables.
Python CLI tool for finding loosely matching records between separate CSV datasets, supports multiple well described similarity algorithms.
Continuing on the theme of STIX best practices from last month, I wanted to share a tip regarding labels. According to the STIX™ Best Practices Guide, you shouldn't use labels to represent facts and assertions that can already be expressed using STIX Objects, Relationships, and their properties.
To give you an example: Tools can have multiple types (taken from the
tool-type-ov open vocabulary, which you can extend with your own types). So you don't need to use a label like
purpose:scanner when you can set
["vulnerability-scanning"]. Hope this helps!
SANS OSINT Summit 2023
📍 Online (EDT timezone)
📊 Conference Sep 22
hack.lu and CTI Summit
📍 Dommeldange, Luxembourg City, LU
📊 CTI Summit Oct 16-17
📊 Hack.lu Oct 18-19
🏢 Alvisse Parc Hotel
📍 McLean, VA, US & Virtual
📊 Conference Oct 24-25
🏢 MITRE campus
📍 Arlington, VA, US
📊 Conference Nov 9
🏢 Hyatt Regency Crystal City