Sources & Methods Newsletter #9 - May 2023
Hello again! I'm getting around to the May issue a little late, so I'll keep this bit short then dig into this month's source, articles, tools, tip, and events.
I'm happy to report that I've created another OpenCTI connector to share with you, this time for active DNS enrichment with Google DNS. Check it out under Tools.
Thanks for reading,
Matthew Conway (@mattreduce)
π Sources
Ransomchats - A new repository of chat messages from ransomware negotiations in JSON format. The project also includes a convenient site for viewing the messages as a conversation if you don't need the raw data.
π° Articles
Andy Piazza - CTI is Better Served with Context: Getting better value from IOCs #IOCs #tactical #value
Google releases 8 new top-level domains #infrastructure #FYSA
Permiso - Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor #analysis #cloud
CERT-EU - Decoding the double-edged sword of Generative AI #strategic #analysis #AI #LLM
TrendMicro: New Info Stealer Bandit Stealer Targets Browsers, Wallets #malware #analysis #stealer
Tidal - The Ultimate Guide to Cyber Threat Profiling #threatprofile #howto
Mandiant - Navigating the Trade-Offs of Cyber Attribution #attribution #philosophy
π Tools
Google DNS connector for OpenCTI :tada:
google-dns in OpenCTI-Platform/connectors
This OpenCTI connector provides active DNS enrichment of Domain Name Observables via Google's Public DNS API, which is free to use. I made it for access to timely, complete*, and inexpensive data about domains and hope it serves you well!
YETI 2.0 in alpha
github.com/yeti-platform/yeti@2.0-Alpha
The open source threat intelligence platform YETI sees a new 2.0 versionβcurrently in alpha, so it's early daysβthat supports deployment via Docker and includes a whole new user interface. This version also removes investigation features.
synapse-webhook
github.com/captainGeech42/synapse-webhook
Here's a Rapid Power-Up for Vertex Synapse that enables posting to Slack, Discord, and Microsoft Teams via webhooks. You can incorporate it into automation as well as one-off queries.
Mango Languages
I've personally enjoyed and benefitted from learning new languages with Mango. I thought I'd share this resource since I found out you can use Mango free through many public libraries in the United States. Support your local public library, and try learning a new language to apply in your job (or just for fun)!
storm-snippets
github.com/vertexproject/storm-snippets
A new collection of interesting and useful snippets of the Storm query language, for use with Vertex Synapse.
PEAK Threat Hunting Framework
splunk.com/en_us/blog/security/peak-threat-hunting-framework
Splunk have introduced a new framework for threat hunting that they call PEAK, which stands for "Prepare, Execute, and Act with Knowledge." It covers three kinds of threat hunts: Hypothesis-Driven, Baseline, and Model-Assisted Threat Hunts (M-ATH). Check out the overview in this introductory blog post then read through the deeper dives they've posted since then.
ArchiveBox
ArchiveBox is an open source, self-hosted tool for web archiving. It takes in URLs/browser history/bookmarks/Pocket/Pinboard/etc. and archives contents as HTML, JS, PDFs, media, and more. Import one at a time or on a scheduled basis. You might find it useful during research or investigation, when you can be sure you have source material saved and not observable by a third party.
π‘ Tip
"In order for answers to become clear, the questions have to be clear."
-- Abdulkarim Soroush
π Events
USENIX Security '23
π Anaheim, CA, US
π Conference Aug 9β11
π’ Anaheim Marriott
π https://www.usenix.org/conference/usenixsecurity23
Underground Economy Conference 2023
π Prague, CZ
π Conference Sep 4-7
π’ Prague Congress Center
π CFP https://capsllc.wufoo.com/forms/ue23-speaker-submission/
π Conference https://www.team-cymru.com/ue2023
Objective by the Sea v6
CFP is open now, and will close on June 30th.
π Marbella, ES
π Training Oct 9-11
π Conference Oct 12-13
π’ Don Pepe (Gran MeliΓ‘)
π CFP https://objectivebythesea.org/v6/cfp.html
π Conference https://objectivebythesea.org/v6/cfp.html
hack.lu and CTI Summit
Two more weeks to submit a talk! You've got until 23:59 (Europe/Luxembourg) on June 16th.
π Dommeldange, Luxembourg City, LU
π CTI Summit Oct 16-17
π Hack.lu Oct 18-19
π’ Alvisse Parc Hotel
π CFP https://pretalx.com/hack-lu-2023/cfp
π Conference https://hack.lu/
Member discussion