Skip to main content

Posts

Showing posts from April, 2020

Incident Response Engineer

Role and (mostly) Responsibilities Before we go any further, note the word ‘engineer’ in the title. One of the definitions by the Oxford dictionary of 'engineer' is: ‘Skilfully arrange for (something) to occur.’ With that in mind, let’s get on with it. We’re discussing an InfoSec Incident Response Engineer in this article. If along the way at any point you feel like this article is more applicable to a manager role, you’re wrong. Every member of the IR team is a manager, they need to manage their part in the response, orchestrate it and be accountable for their actions according to their level of involvement. ___________________________________ C ontrary to mainstream belief that an IR engineer needs to be someone good at detecting or hunting for threats, the real purpose of an IR engineer is to respond to incidents in an efficient, impactful and compliant way, following clearly defined protocols and an even more clearly defined scope.  After  the incide...

Introducing Ragno: IOC Multiplier

Cast a wide net using a single IOC and extract IOC for the entire campaign TL;DR: Use this Python tool to take one IOC (IP only in this first release) and expand that to all IOC related to it, download the entire list from VT and then block these to neutralise the entire campaign (or get very close to it). Ragno uses Virustotal API to interact with the popular OSINT platform. Just like a spider, this tool launches ‘webs’ which are searches based on the the IOC you provide. Each web has a potential of returning multiple results and this is how we end up with an exhaustive list of IOC that can be used to contain an entire malware campaign. The idea behind Ragno is to rapidly respond to an active Malware campaign by extracting a single IOC (network-based) and then use that to very quickly expand from there and get the network-infrastructure for the entire campaign so that you can block those IOC at your network perimeter and make sure there is no successful execution of the...