3 min read

Sources & Methods Newsletter #15 - December 2023

I hope everyone had a great yearโ€”it was for Sources & Methods:

In 2024, expect more original analysis under The Finished Product, the launch of The Gist, more open source development work in the CTI community, and of course the monthly newsletter.

Happy holidays,

Matthew Conway (@mattreduce)

๐Ÿ“ Sources

RMM Catalogue - Open source collection of (aspirationally) all known Remote Management and Monitoring (RMM) tools. See any tools missing? Help everyone out and open a Pull Request!

๐Ÿ“ฐ Information

John Doyle - Helping CTI Analysts Approach and Report on Emerging Technology Threats and Trends (Part 1) #writing #trending

OSINT Combine - OSINT Collection Schema #OSINT #collection

Joe Slowik - Orienting Intelligence Requirements to the Small Business Space #requirements #SMB

Amitai Cohen - Achieving Research Fluency #research #tradecraft

ENISA Threat Landscape 2023 #landscape #EU #longreads

mthcht - How Threat Actors Use GitHub #operational #analysis #infrastructure

MITRE - How does an idea become a MITRE ATT&CKยฎ technique? #ATTCK

ROK-NIS, UK-NCSC - DPRK state-linked cyber actors conduct software supply chain attacks #operational #analysis #DPRK #supplychain

SANS - FOR589: Cybercrime Intelligence - NEW SANS DFIR Course coming in 2024 #training #cybercrime

US CISA - Enabling Threat-Informed Cybersecurity: Evolving CISAโ€™s Approach to Cyber Threat Information Sharing #gov #sharing

๐Ÿ›  Tools



Thanks to Scott Small from Tidal Cyber for the heads-up about this free and open source CVE alerting platform. OpenCVE is a web-based system for monitoring new CVEs, exploring them by vendor and product, and receiving notifications when new CVEs are issued that meet your criteria (product, score, references, etc).



Here's a Golang implementation of HTTP Headers Hashing (HHHash). With it, you can fingerprint a given HTTP server using that technique in your Go-based scripts or other automation.

IOC Parser


Free service and API for extracting atomic IOCs from a piece of text or web content at a URL.



A Python library for detecting natural language in short or long samples, no external service or API required. You could use this when handling everything from open source data to strings in binaries. Check this out:

>>> from lingua import Language, LanguageDetectorBuilder
>>> languages = [Language.ENGLISH, Language.FRENCH, Language.GERMAN, Language.SPANISH]
>>> detector = LanguageDetectorBuilder.from_languages(*languages).build()
>>> language = detector.detect_language_of("languages are awesome")
>>> language
>>> language.iso_code_639_1
>>> language.iso_code_639_1.name
>>> language.iso_code_639_3
>>> language.iso_code_639_3.name



Turn MITRE Common Weakness Enumerations (CWEs) into STIX 2.1 Objects from the command line.



This self-hostable API runs as a Cloudflare Worker and, given a URL pointing to some public material, will extract content and metadata. It can even scrape article contents excluding sidebars, ads, and article suggestions that can muddy automatically ingested reports.

MetaOSINT v3


Version 3 of MetaOSINT refreshes an essential starting point for OSINT investigations. Not only does it point you in the direction of OSINT tools and resources, but you'll know which of them are popular among practitioners, saving you from trying 5 tools to find they're broken or superseded.



A very polished collaborative note-taking service you can run yourself to ensure privacy and operations security. Supports Markdown content, runnable with Docker, has a REST API. Maybe this is the right fit for your research or sharing group.

๐Ÿ’ก Tip

Keep a personal notebook on threat groups, malware, and TTPs you find interesting, then update it every time you read about or discuss those things. It could be as simple as a single Markdown file, to a more advanced note taking system like Obsidian, or a personal deployment of Vertex Synapse or OpenCTI. Stay tuned for tips on how to use OpenCTI this way on Sources & Methods.

๐Ÿ“† Events

2023 is practically over! Here are some great events you can attend in 2024:


๐Ÿ“ Washington, DC, US and online
๐Ÿ“Š Summit: Jan 29-30
๐Ÿ“Š Training: Jan 31 - Feb 5
๐Ÿ”— https://www.sans.org/cyber-security-training-events/cyber-threat-intelligence-summit-2024/


๐Ÿ“ Mercure Hotel MOA Berlin
๐Ÿ“Š April 15-17


CFP for presentations and panels closes January 8, 2024
CFP for workshops, villages, and BoF will close on February 5, 2024

๐Ÿ“ San Francisco, CA, US
๐Ÿ“Š Conference May 4-5
๐Ÿ”— CFP https://bsidessf.org/cfp