3 min read

Sources & Methods Newsletter #9 - May 2023

Hello again! I'm getting around to the May issue a little late, so I'll keep this bit short then dig into this month's source, articles, tools, tip, and events.

I'm happy to report that I've created another OpenCTI connector to share with you, this time for active DNS enrichment with Google DNS. Check it out under Tools.

Thanks for reading,

Matthew Conway (@mattreduce)

πŸ“ Sources

Ransomchats - A new repository of chat messages from ransomware negotiations in JSON format. The project also includes a convenient site for viewing the messages as a conversation if you don't need the raw data.

πŸ“° Articles

Andy Piazza - CTI is Better Served with Context: Getting better value from IOCs #IOCs #tactical #value

Google releases 8 new top-level domains #infrastructure #FYSA

Permiso - Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor #analysis #cloud

CERT-EU - Decoding the double-edged sword of Generative AI #strategic #analysis #AI #LLM

TrendMicro: New Info Stealer Bandit Stealer Targets Browsers, Wallets #malware #analysis #stealer

Tidal - The Ultimate Guide to Cyber Threat Profiling #threatprofile #howto

Mandiant - Navigating the Trade-Offs of Cyber Attribution #attribution #philosophy

πŸ›  Tools

Google DNS connector for OpenCTI :tada:

google-dns in OpenCTI-Platform/connectors

This OpenCTI connector provides active DNS enrichment of Domain Name Observables via Google's Public DNS API, which is free to use. I made it for access to timely, complete*, and inexpensive data about domains and hope it serves you well!

YETI 2.0 in alpha


The open source threat intelligence platform YETI sees a new 2.0 versionβ€”currently in alpha, so it's early daysβ€”that supports deployment via Docker and includes a whole new user interface. This version also removes investigation features.



Here's a Rapid Power-Up for Vertex Synapse that enables posting to Slack, Discord, and Microsoft Teams via webhooks. You can incorporate it into automation as well as one-off queries.

Mango Languages


I've personally enjoyed and benefitted from learning new languages with Mango. I thought I'd share this resource since I found out you can use Mango free through many public libraries in the United States. Support your local public library, and try learning a new language to apply in your job (or just for fun)!



A new collection of interesting and useful snippets of the Storm query language, for use with Vertex Synapse.

PEAK Threat Hunting Framework


Splunk have introduced a new framework for threat hunting that they call PEAK, which stands for "Prepare, Execute, and Act with Knowledge." It covers three kinds of threat hunts: Hypothesis-Driven, Baseline, and Model-Assisted Threat Hunts (M-ATH). Check out the overview in this introductory blog post then read through the deeper dives they've posted since then.



ArchiveBox is an open source, self-hosted tool for web archiving. It takes in URLs/browser history/bookmarks/Pocket/Pinboard/etc. and archives contents as HTML, JS, PDFs, media, and more. Import one at a time or on a scheduled basis. You might find it useful during research or investigation, when you can be sure you have source material saved and not observable by a third party.

πŸ’‘ Tip

"In order for answers to become clear, the questions have to be clear."

-- Abdulkarim Soroush

πŸ“† Events

USENIX Security '23

πŸ“ Anaheim, CA, US
πŸ“Š Conference Aug 9–11
🏒 Anaheim Marriott
πŸ”— https://www.usenix.org/conference/usenixsecurity23

Underground Economy Conference 2023

πŸ“ Prague, CZ
πŸ“Š Conference Sep 4-7
🏒 Prague Congress Center
πŸ”— CFP https://capsllc.wufoo.com/forms/ue23-speaker-submission/
πŸ”— Conference https://www.team-cymru.com/ue2023

Objective by the Sea v6

CFP is open now, and will close on June 30th.

πŸ“ Marbella, ES
πŸ“š Training Oct 9-11
πŸ“Š Conference Oct 12-13
🏒 Don Pepe (Gran MeliÑ)
πŸ”— CFP https://objectivebythesea.org/v6/cfp.html
πŸ”— Conference https://objectivebythesea.org/v6/cfp.html

hack.lu and CTI Summit

Two more weeks to submit a talk! You've got until 23:59 (Europe/Luxembourg) on June 16th.

πŸ“ Dommeldange, Luxembourg City, LU
πŸ“Š CTI Summit Oct 16-17
πŸ“Š Hack.lu Oct 18-19
🏒 Alvisse Parc Hotel
πŸ”— CFP https://pretalx.com/hack-lu-2023/cfp
πŸ”— Conference https://hack.lu/