An important aspect of threat hunting is the creation and the prioritisation of hunting hypotheses. You want to avoid spending your valuable time into investigations that yield little result. Prioritisation can be used in two areas: the creation of new hunting hypotheses, and assigning priorities to the hypotheses on your backlog.
KQL Cheat Sheet
This week I released a cheat sheet for the Kusto Query Language (KQL), which you can find on my GitHub page: kql_cheat_sheet.pdf. When I started with KQL to analyse security events, the primary resources for me to get started were the official KQL documentation from Microsoft and the Pluralsight course on from Robert Cain. Something was missing: a cheat sheet. So, I created one. I hope this cheat sheet will help others in using KQL. If you have additions or remarks, please contact me.
How to integrate EQL into your tooling
At DerbyCon I had a conversation with Ross Wolf (@rw_access) from EndGame about the capabilities of EQL (Event Query Language) and how to integrate it in other tools. The purpose of this blog is to share my gained knowledge in that area and Python code to help others to integrate EQL within their tools.
DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™
A month ago (Ruben and I) released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats.
In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation.
TaHiTI - Threat Hunting Methodology
During several months we worked together with a number of Dutch financial institutions to create the threat hunting methodology called TaHiTI. Which stands for Targeted Hunting integrating Threat Intelligence. You can obtain it from here: https://www.betaalvereniging.nl/en/safety/tahiti.
OPSEC for Blue Teams - Sandboxes & Secure Communications
This will be the last blog in this series on OPSEC for Blue Teams. I will share some of my thoughts on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.
OPSEC for Blue Teams - Testing PassiveTotal & VirusTotal
This second blog in the series on OPSEC for Blue Teams is about testing tools used to get context and/or OSINT on domains and IPs. While performing these tests it also showed results that can be interesting for Red Teams.
OPSEC for Blue Teams - Losing Defender's Advantage
This is a three-part blog about OPSEC for Blue Teams. This first part expresses some of my ideas about the risk of alerting the adversary and OPSEC for getting OSINT and context on domains and IPs. The second part is about testing tools (I performed tests on PassiveTotal and VirusTotal) which provide context and/or OSINT in relation to OPSEC. The last part will be on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.