“Hunting with OSSEC” at BruCON Spring Training

My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour. OSSEC is sometimes described as

[The post “Hunting with OSSEC” at BruCON Spring Training has been first published on /dev/random]

Continue reading “Hunting with OSSEC” at BruCON Spring Training

Training Announce: “Hunting with OSSEC”

I’m proud to have been selected to give a training at DeepSec (Vienna, Austria) in November: “Hunting with OSSEC“. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.

[The post Training Announce: “Hunting with OSSEC” has been first published on /dev/random]

Continue reading Training Announce: “Hunting with OSSEC”

[SANS ISC] Searching for Geographically Improbable Login Attempts

I published the following diary on isc.sans.org: “Searching for Geographically Improbable Login Attempts“: For the human brain, an IP address is not the best IOC because, like phone numbers, we are bad to remember them. That’s why DNS was created. But, in many log management applications, there are features to

[The post [SANS ISC] Searching for Geographically Improbable Login Attempts has been first published on /dev/random]

Continue reading [SANS ISC] Searching for Geographically Improbable Login Attempts

[SANS ISC] Are Your Hunting Rules Still Working?

I published the following diary on isc.sans.org: “Are Your Hunting Rules Still Working?“: You are working in an organization which implemented good security practices: log events are collected then indexed by a nice powerful tool. The next step is usually to enrich this (huge) amount of data with external sources. You

[The post [SANS ISC] Are Your Hunting Rules Still Working? has been first published on /dev/random]

Continue reading [SANS ISC] Are Your Hunting Rules Still Working?

[SANS ISC] Extending Hunting Capabilities in Your Network

I published the following diary on isc.sans.org: “Extending Hunting Capabilities in Your Network“: Today’s diary is an extension to the one I posted yesterday about hunting for malicious files crossing your network. Searching for new IOCs is nice but there are risks of missing important pieces of information! Indeed, the first

[The post [SANS ISC] Extending Hunting Capabilities in Your Network has been first published on /dev/random]

Continue reading [SANS ISC] Extending Hunting Capabilities in Your Network

[SANS ISC] Automatic Hunting for Malicious Files Crossing your Network

I published the following diary on isc.sans.org: “Automatic Hunting for Malicious Files Crossing your Network“: If classic security controls remain mandatory (antivirus, IDS, etc), it is always useful to increase your capacity to detect suspicious activities occurring in your networks. Here is a quick recipe that I’m using to detect

[The post [SANS ISC] Automatic Hunting for Malicious Files Crossing your Network has been first published on /dev/random]

Continue reading [SANS ISC] Automatic Hunting for Malicious Files Crossing your Network

[SANS ISC] Comment your Packet Captures!

I published the following diary on isc.sans.org: “Comment your Packet Captures!“: When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best” way to take notes, some people use electronic solutions while others are using good

[The post [SANS ISC] Comment your Packet Captures! has been first published on /dev/random]

Continue reading [SANS ISC] Comment your Packet Captures!

[SANS ISC] Using Bad Material for the Good

I published the following diary on isc.sans.org: “Using Bad Material for the Good“: There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with

[The post [SANS ISC] Using Bad Material for the Good has been first published on /dev/random]

Continue reading [SANS ISC] Using Bad Material for the Good

[SANS ISC] Bots Searching for Keys & Config Files

I published the following diary on isc.sans.org: “Bots Searching for Keys & Config Files“. If you don’t know our “404” project, I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors

[The post [SANS ISC] Bots Searching for Keys & Config Files has been first published on /dev/random]

Continue reading [SANS ISC] Bots Searching for Keys & Config Files