Hello again! I'm getting around to the May issue a little late, so I'll keep this bit short then dig into this month's source, articles, tools, tip, and events.
I'm happy to report that I've created another OpenCTI connector to share with you, this time for active DNS enrichment with Google DNS. Check it out under Tools.
Thanks for reading,
Matthew Conway (@mattreduce)
Ransomchats - A new repository of chat messages from ransomware negotiations in JSON format. The project also includes a convenient site for viewing the messages as a conversation if you don't need the raw data.
Andy Piazza - CTI is Better Served with Context: Getting better value from IOCs #IOCs #tactical #value
Google releases 8 new top-level domains #infrastructure #FYSA
CERT-EU - Decoding the double-edged sword of Generative AI #strategic #analysis #AI #LLM
TrendMicro: New Info Stealer Bandit Stealer Targets Browsers, Wallets #malware #analysis #stealer
Tidal - The Ultimate Guide to Cyber Threat Profiling #threatprofile #howto
Mandiant - Navigating the Trade-Offs of Cyber Attribution #attribution #philosophy
Google DNS connector for OpenCTI :tada:
This OpenCTI connector provides active DNS enrichment of Domain Name Observables via Google's Public DNS API, which is free to use. I made it for access to timely, complete*, and inexpensive data about domains and hope it serves you well!
YETI 2.0 in alpha
The open source threat intelligence platform YETI sees a new 2.0 version—currently in alpha, so it's early days—that supports deployment via Docker and includes a whole new user interface. This version also removes investigation features.
Here's a Rapid Power-Up for Vertex Synapse that enables posting to Slack, Discord, and Microsoft Teams via webhooks. You can incorporate it into automation as well as one-off queries.
I've personally enjoyed and benefitted from learning new languages with Mango. I thought I'd share this resource since I found out you can use Mango free through many public libraries in the United States. Support your local public library, and try learning a new language to apply in your job (or just for fun)!
A new collection of interesting and useful snippets of the Storm query language, for use with Vertex Synapse.
PEAK Threat Hunting Framework
Splunk have introduced a new framework for threat hunting that they call PEAK, which stands for "Prepare, Execute, and Act with Knowledge." It covers three kinds of threat hunts: Hypothesis-Driven, Baseline, and Model-Assisted Threat Hunts (M-ATH). Check out the overview in this introductory blog post then read through the deeper dives they've posted since then.
ArchiveBox is an open source, self-hosted tool for web archiving. It takes in URLs/browser history/bookmarks/Pocket/Pinboard/etc. and archives contents as HTML, JS, PDFs, media, and more. Import one at a time or on a scheduled basis. You might find it useful during research or investigation, when you can be sure you have source material saved and not observable by a third party.
"In order for answers to become clear, the questions have to be clear."
-- Abdulkarim Soroush
USENIX Security '23
📍 Anaheim, CA, US
📊 Conference Aug 9–11
🏢 Anaheim Marriott
Underground Economy Conference 2023
📍 Prague, CZ
📊 Conference Sep 4-7
🏢 Prague Congress Center
🔗 CFP https://capsllc.wufoo.com/forms/ue23-speaker-submission/
🔗 Conference https://www.team-cymru.com/ue2023
Objective by the Sea v6
CFP is open now, and will close on June 30th.
hack.lu and CTI Summit
Two more weeks to submit a talk! You've got until 23:59 (Europe/Luxembourg) on June 16th.