Tag Archives: incident repsonse

Intelligence – Garbage In, Gospel Out

I don’t remember which podcast or who said it, but “Garbage In Gospel Out” is so true. Especially when talking about Cyber Threat Intelligence. I talked a little about this before, both in conference talks and in Validate Data Before Sharing.

But here it is, three years later, and the problem remains. I’m willing to say it is getting worse. We’re not running full life cycles, either Intelligence or Incident Response. We get to the collection phase and call it done. NixIntel has a good post on that at their blog.

Continue reading

scripts to decode base64 and hex

About a month ago, I added a couple shell scripts to my DFIR Github repository. Three of the four scripts are used at work daily in either a Linux terminal, or a Cygwin terminal. The fourth script is something I use to help with quarantined mail, and not really DFIR based.

b64Decode.sh and hexConvert.bash take command line arguments and reports back the result. For example:

Continue reading

Script(s) to extract HTTP Host data from file

A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.

The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.

Continue reading

You can’t buy threat intelligence, or yet another “article” on Data vs Information Vs Intelligence.

The background:
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.

In the tweet list was a tweet was from Alex Pinto asking ‘how many more #ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’

So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.

The Problem:
Companies are selling data feeds while calling it intelligence.

Continue reading

Script(s) to ping a computer

I re-wrote a script I use at work. It was a messy bit of Python 3 previously. While it’s still not the cleanest of python scripts, it scratches my itch. It was originally just a straight line of commands with lots of repeated code. I made some functions and made it a little more modular. I know I need to learn PEP8, and start following it. This was just to improve something that I wrote previously with things I learned from Automate the Boring Stuff with Python.

I’ve shared it via my GitHub repository for DFIR scripts. They’re clean (not tied to any company). There is only Computer Ping for right now. There are 3 scripts all based on the same idea.

Ping a computer, if it is down, keep trying every 10 minutes for 1 hour. Pop an “alert” if the target is up, or the script finished before it came up.

  • 1 version for Windows running python (wComputerPing.py)
  • 1 version for Windows running Cygwin (cwComputerPing.py)
  • 1 version for boxes running Linux. (lComputerPing.py).

I’ll write others and upload to the repository as I have time / re-write stuff I use. They might not all be Python, but my goal is to be more Python than not.

Reading Malware Traffic Analysis

I’ve made it through the June and July 2013 posts on Malware Traffic Analysis. I’m starting to understand his process more, and partially how he came to follow that process.

Mainly from what I could tell, and was confirmed in the blog posts, and via twitter, The site explodes malware on systems and gets pcaps for those systems. Then looks to see what call outs are there. The exercises and blog posts, so far, have only shown 1 ip address. Which makes it easier than a full corporate network to find the traffic.

Something I noticed. While Malware Traffic Analysis says to configure Wireshark one way, the blog posts of late show it’s now configured a little differently.

CSEC630 Lab 2

Ok. The lab was pretty much what I expected.

Click this Panic button to reset everything. Go look at this pcap in Wireshark. Run this command in cmd.exe (and even walks the student through opening a term window by go to the start button, type cmd in the run box).

Run Snort with the test option on a pre-defined rule set using the pcap you looked at. Modify the same rule multiple times, enabling and disabling an alert each time. Run to see the difference.

Answer these 10 questions.

The last question was how to improve the class… I forgot to say use a Linux VM instead of a Windows VM. Since one of my answers did require Grep. Which means copy and paste from the VM lab to my box connected to the lab.

SANS Forensics 578

Work recently sent me to SANS Forensics 578, Cyber Threat Intelligence. This was my first SANS class ever, and it was pretty good. The instance of the class I was sent to was presented by Jake Williams and Rebekah Brown. I think having both of them teach the class was great, because it gave more from the trenches view than having just one of them as an instructor.

Continue reading