Neem direct contact op: +31(0)20 364 2909

Cqure

DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™

A month ago we, Ruben and Marcus, released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats. Today we released version 1.1, which contains multiple improvements: changelog. Most changes are related to additional functionality to allow more detailed administration of your visibility and detection.

By creating DeTT&CT we aim to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.

In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation. Detailed information about DeTT&CT and how it can be used, is documented on the GitHub Wiki pages. Therefore, the explanation we give in this blog will be high-level.

Door |2024-08-26T15:03:54+00:00mei 16, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™
Lees meer

TaHiTI – Threat Hunting Methodology

During several months we worked together with a number of Dutch financial institutions to create the threat hunting methodology called TaHiTI. Which stands for Targeted Hunting integrating Threat Intelligence. You can obtain it from here: https://www.betaalvereniging.nl/en/safety/tahiti.

The goal of this collaboration was to reach a joint understanding of what threat hunting is and to come up with a common approach how to carry out threat hunting. As the name implies, threat intelligence has an important role within this methodology. It is used as a source for creating hunting hypotheses and during the hunting investigation to further contextualize and enrich the hunt.

Door |2024-02-17T12:18:12+00:00januari 10, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor TaHiTI – Threat Hunting Methodology
Lees meer

OPSEC for Blue Teams part 3- Sandboxes & Secure Communications

This will be the last blog in this series on OPSEC for Blue Teams. I will share some of my thoughts on sandboxes, secure communications and sharing of info & data, when dealing with a targeted attack.

OPSEC for Blue Teams part 1 - Losing Defender's Advantage can be found here.
OPSEC for Blue Teams part 2 - Testing PassiveTotal & VirusTotal can be found here.

Door |2024-08-26T13:46:36+00:00oktober 25, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor OPSEC for Blue Teams part 3- Sandboxes & Secure Communications
Lees meer

OPSEC for Blue Teams part 2 – Testing PassiveTotal & VirusTotal

This second blog in the series on OPSEC for Blue Teams is about testing tools used to get context and/or OSINT on domains and IPs. While performing these tests it also showed results that can be interesting for Red Teams.

OPSEC for Blue Teams part 1 - Losing Defender's Advantage can be found here.

Door |2024-02-17T06:32:38+00:00oktober 18, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor OPSEC for Blue Teams part 2 – Testing PassiveTotal & VirusTotal
Lees meer

​ OPSEC for Blue Teams part 1 – Losing Defender’s Advantage

This is a three-part blog about OPSEC for Blue Teams. This first part expresses some of my ideas about the risk of alerting the adversary and OPSEC for getting OSINT and context on domains and IPs. The second part is about testing tools (I performed tests on PassiveTotal and VirusTotal) which provide context and/or OSINT in relation to OPSEC. The last part will be on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.

When talking about adversaries in this series, I mean the ones which are targeting your company. So I do not discuss a threat actor executing a malware or phishing campaign against a large and diverse group of victims. You can be less strict on following certain OPSEC rules when you know you deal with a non-targeted attack. Still, following secure practices in both cases will make sure your default behaviour is in line with good OPSEC rules.

Door |2024-02-17T06:32:38+00:00oktober 11, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor ​ OPSEC for Blue Teams part 1 – Losing Defender’s Advantage
Lees meer

Hunting with JA3

Within this blog post I will explain how JA3 can be used in Threat Hunting. I will discuss a relative simple hunt on a possible way to identify malicious PowerShell using JA3 and a more advanced hunt that involves the use of Darktrace and JA3.

Door |2024-02-17T06:32:38+00:00juli 5, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Hunting with JA3
Lees meer

Volatility: proxies and network traffic

When dealing with an incident it can often happen that your starting point is a suspicious IP. For example, because the IP is showing a suspicious beaconing traffic pattern (i.e. malware calling home to its C2 server for new instructions). One of the questions you will have is what is causing this traffic. It can really help your investigation when you know which process (or sometimes processes) are involved. However, answering this question is challenging when you have to deal with the following:

  • An IT infrastructure where a non-transparent proxy is used for all outgoing network traffic (this is the case in many enterprise networks).
  • No other sources, except a memory dump, are available to you where you could find this information.

In this blog post I will explain how you can solve this with Volatility and strings.

Door |2024-02-17T12:47:10+00:00maart 29, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Volatility: proxies and network traffic
Lees meer

Wij zijn Cqure

Onze missie: “Elke organisatie van dienst zijn om hun digitale omgeving te beveiligen.”

Onze visie: “Het digitale landschap zo weerbaar mogelijk maken tegen cybercriminelen en datalekken.”

Daarom bemiddelen wij de beste Cyber Security & Privacy professionals snel en effectief.

Uitgebreid netwerk

Veel variatie in experts en opdrachtgevers. Met meer dan 15 jaar ervaring kunnen wij altijd de juiste match maken.

Continue ontwikkelen

Professionaliseren en groeien vinden wij belangrijk. Voor onszelf en voor al onze relaties.

Persoonlijk contact

Wij zijn een platte organisatie waarbij professional, Account Manager en opdrachtgever altijd daadkrachtig en soepel samenwerken.

Meer weten over onze eigen cyber security & privacy consultants?

Telefoon: 020 364 2909

Mail: info@cqure.nl

Voorwaarden

Blogs

Ga naar de bovenkant