It has been almost 4 years since Ruben and Marcus released DeTT&CT, a great tool for managing your detection capabilities. Within Sirius Security we use DeTT&CT at many of our clients and it has proven to be a very useful tool. On the other hand we noticed that as the detection capabilities of our clients have been steadily growing, the time spend on managing them in DeTT&CT also increased. Because we're both a bit lazy, Ruben and I started developing Python scripts to automate some of the manual labour involved in the process. When we noticed that we were both basically creating the same functionalities, we decided that it would be a better plan to create a new tool to rule them all. Before we even decided what the tool should do, we already agreed on the name: Dettectinator. Ruben and I have been creating tools together for a long time and the names of those tools always ended with "nator". So we had tools like the "Threatinator", the "Phishinator", the "Indicatornator" and many more.
Meer lezenNowadays MITRE ATT&CK can no longer be ignored in a Cyber Defense Center or Security Operations Center. Many organisations are using ATT&CK to gather information on how cyber attacks are being performed (it’s kind of the Wikipedia on cyber attacks), but also to see how their organisation is performing when looking at the ATT&CK Enterprise Matrix. In 2019 Marcus Bakker and I released DeTT&CT to map your blue team capabilities to ATT&CK. With DeTT&CT you can administrate your data log source quality, get insight into your visibility and detection coverage and plot threat actor behaviours. We are happy to see that many organisations already started using or exploring DeTT&CT.
When mapping your blue team capabilities, it often involves analysing your own custom build use cases / detections to see how they relate to ATT&CK (sub-) techniques. But when working for our customers, we often see a combination of detection products that also cover a lot of ATT&CK techniques. And ideally you want to have one overall overview to see how good your organisation’s detection capabilities are.
Unfortunately not all vendors are transparant in what their detection capabilities are and how their ATT&CK coverage is. Luckily there are vendors that do give you that information, and that’s a good thing! Because we can use that information to compare that with other products, with our own use cases / detections or with threat actor behaviour (threat intelligence).
In this blog we will show how easy it is to make an ATT&CK mapping of the detection capabilities that are available in Tanium Threat Response.
Meer lezenAs a defender, looking at events occurring at user endpoints is very useful. Knowing exactly what’s happening is essential and having insight in detailed log information gives the opportunity to perform threat hunting and to create detection rules.
It’s a no-brainer that looking at processes on an user endpoint is crucial in order to find adversary’s activities. In this blog I will show you the value of looking at the access token of a process using Microsoft Defender ATP (MDATP) and the Kusto query language.
Meer lezenA month ago Marcus and I released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats. Today we released version 1.1, which contains multiple improvements. Most changes are related to additional functionality to allow more detailed administration of your visibility and detection.
By creating DeTT&CT we aim to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.
In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation. Detailed information about DeTT&CT and how it can be used, is documented on the GitHub Wiki pages. Therefore, the explanation we give in this blog will be high-level.
Meer lezenThis is the first post in a series on visualizing Netflow data. The post starts with some basic Netflow concepts and some guidelines to setup an environment to reproduce the samples in these posts. After this, we'll be using FlowPlotter to create our first visualizations.
What is Netflow?
Netflow data is a recording of all traffic passing a certain network interface or device and can be invaluable during Incident Response and forensic investigations. Unlike full packet captures (FPC), Netflow only contains the meta-data from the network traffic.
Every now and then you hear an abbreviation of a new technology. Today: HPKP which stands for HTTP Public Key Pinning. It's an IETF standard that became final this month.
HTTP Public Key Pinning (HPKP) is an HTTP extension and security policy which can be set through HTTP response headers, just like HSTS (HTTP Strict Transport Security). It gives a website the possibility to instruct the browser to check for a specific public key when the website is visited the next time.
Meer lezenI've been playing around with the script I've created in the previous blog post and I'm starting to think that there is some real potential in a web interface for Volatilty. So I've made some improvements to the script to make it more functional.
Meer lezenSo we're up for the second blogpost, it took me almost a year to get another one out. But as always, I try to focus on quality over quantity ;-). Again, the object of my affection is Volatilty, an amazingly flexible tool to perform memory analysis. For this sample I've used Volatility 2.2, but this will probably work on other versions as well.
Meer lezenWhen I use Volatility I'm always amazed of the amount of forensic information that is available just from memory. Volatility comes with a large amount of plugins that make it very easy to get that information out of a memory image without extensive knowledge on how memory actually is organized.
Meer lezen