Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • Extracting RAM from VirtualBox session Digital Forensics & Incident Response
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Building Structured Threat Intelligence (STIX) from FBI notices MISP - Open Source Threat Intelligence Platform
  • Hardening TheHive4 and Cortex for public deployment Build
  • Building a Cuckoo Sandbox Build
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • Feeding Analysis Information Leak (AIL) Framework AIL Framework
  • Deploying (and using) TheHive4 [Part 1] Build

Author: A.McHugh

Auto-updating Ubuntu 20.04 in less than 2 minutes

Posted on April 26, 2022April 26, 2022 By A.McHugh No Comments on Auto-updating Ubuntu 20.04 in less than 2 minutes

If you are like me and deploy lots of small instances of VMs all over the place for various functions, you will find applying updates to them all consistently and in a responsive manner a logistical issue. Fortunately, there is an auto-update function within Ubuntu which can be configured in a few minutes.

Read More “Auto-updating Ubuntu 20.04 in less than 2 minutes” »

Operate

Feeding Analysis Information Leak (AIL) Framework

Posted on April 24, 2022May 13, 2022 By A.McHugh No Comments on Feeding Analysis Information Leak (AIL) Framework

I have been playing with CIRCL’s AIL Framework recently (which I will be writing about in another blog post), but I have had an interest in monitoring Telegram channels for Threat Intelligence and Data Breach indicators.

AIL has a very capable framework to detect indicators within processed information using a suite of very comprehensive Yara rules – but unless you want to copy and paste Telegram messages into AIL all day, some level of automation is required.

There is where the feeders come into play!

Read More “Feeding Analysis Information Leak (AIL) Framework” »

AIL Framework

An Introduction to Threat Intelligence

Posted on April 16, 2022April 16, 2022 By A.McHugh No Comments on An Introduction to Threat Intelligence

You will have seen the advertisements as you’re browsing the Internet and will have seen the vendors at various conferences and trade shows spruiking Threat Intelligence as the way to detect the bad guys in your environment, or their product/service delivering highly enriched intelligence relevant to your organisation. But what is Threat Intelligence really? And just how well refined does it need to be?

Read More “An Introduction to Threat Intelligence” »

Threat Intelligence

Deploying MISP on DigitalOcean or Vultr Cloud Hosting

Posted on July 31, 2021April 16, 2022 By A.McHugh No Comments on Deploying MISP on DigitalOcean or Vultr Cloud Hosting

I have found myself deploying MISP on very small instances lately, mostly to function as a clearinghouse for intelligence I have been generating. So it begs the question – Does MISP run in DigitalOcean or Vultr hosting?

Read More “Deploying MISP on DigitalOcean or Vultr Cloud Hosting” »

Frameworks

Building CCCS’ AssemblyLine for Static Analysis

Posted on July 12, 2021 By A.McHugh No Comments on Building CCCS’ AssemblyLine for Static Analysis

This is post 1 of 1 in the series “Malware Analysis with AssemblyLine” System Requirements For this build, I will be deploying AssemblyLine on my bare-metal hypervisor exposed to the Internet. This is not always a good idea, however, my build will be further hardened by additional controls which I will explain in subsequent articles…

Read More “Building CCCS’ AssemblyLine for Static Analysis” »

Static Analysis

Hardening TheHive4 and Cortex for public deployment

Posted on June 18, 2021 By A.McHugh 1 Comment on Hardening TheHive4 and Cortex for public deployment

Deploying an incident response platform on the open internet is not always a good idea. For whatever reason you choose to do so, there are some things you need to do before going live with TheHive and Cortex.

In this post, I talk about hardening TheHive and Cortex for an Internet-accessible deployment. This includes the application of TLS v1.2+ and the configuration of multi-factor authentication. Cortex can be further hardened through IP whitelisting, and even walled gardens implemented through Cloudflare.

Read More “Hardening TheHive4 and Cortex for public deployment” »

Build, Digital Forensics & Incident Response

[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

Posted on June 18, 2021 By A.McHugh No Comments on [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.

Read More “[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform” »

Build

Using the workflow taxonomy in MISP

Posted on May 23, 2021 By A.McHugh No Comments on Using the workflow taxonomy in MISP

In the context of MISP, intelligence handling usually requires a set of stages for that information to be handled effectively. This can be addressed procedurally through a workflow.

Understanding how a taxonomy may be implemented in MISP to assist this process is handy.

Read More “Using the workflow taxonomy in MISP” »

MISP - Open Source Threat Intelligence Platform

Using the Estimative Language Taxonomy in MISP

Posted on May 11, 2021 By A.McHugh No Comments on Using the Estimative Language Taxonomy in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

According to the MISP taxonomies listing for Estimative Language, this taxonomy is used to descrie the quality and credibility of the underlying information sources, data, and methodologies as described under the Intelligence Community Directive 203 (ICD 203) and JP 2-0. In this article I will describe how these tags may be applied by either an intelligence originator, or when the information is polled from a known credible source to convey likelihood.

Read More “Using the Estimative Language Taxonomy in MISP” »

MISP - Open Source Threat Intelligence Platform

Using the Data Classification Taxonomies in MISP

Posted on May 11, 2021 By A.McHugh No Comments on Using the Data Classification Taxonomies in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

Data classification is broadly defined as the process of organising data by relevant categories so that it may be used and protected more efficiently. On a basic level, the classification process makes data easier to locate and retrieve.

In this article, I will be discussing the usage of the data-classification taxonomy for MISP events and attributes within those events. The intent of this taxonomy being categorising the value of data to provide some additional context to the information or asset being affected.

Read More “Using the Data Classification Taxonomies in MISP” »

MISP - Open Source Threat Intelligence Platform

Posts navigation

1 2 … 4 Next

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • Hardening TheHive4 and Cortex for public deployment Build
  • Threat hunting with Elasticsearch and Kibana (Part 1) Digital Forensics & Incident Response
  • Feeding Analysis Information Leak (AIL) Framework AIL Framework
  • An Introduction to Threat Intelligence Threat Intelligence
  • Auto-updating Ubuntu 20.04 in less than 2 minutes Operate
  • Exporting Maltego Graphs to MISP Intelligence
  • Building the Assemblyline Analyzer for TheHive’s Cortex. Digital Forensics & Incident Response

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme