Risk Management – Terminology

Views: 20Risk Avoidance Risk Acceptance Risk Reduction Basic Terminology Threat A threat is a potential harm or danger to an individual, organisation, or system. Threats can be classified into three main categories: human-made, technical, or natural. Human-made threats: These threats are caused by human activities or interventions. Examples include: As can be seen, human-made threats are not limited to … Read more

OpenCTI

Views: 61OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. OpenCTI is designed to provide organizations with the means to manage CTI through the storage, analysis, visualization and presentation of threat campaigns, malware and IOCs. Developed by the collaboration of the French National cybersecurity agency (ANSSI), the platform’s main objective is to … Read more

Border Gateway Protocol (BGP) Best Path Selection Mnemonic

Views: 16 “We Love Oranges AS Oranges Mean Pure Refreshment” W Weight (Highest) L LOCAL_PREF (Highest) O Originate (local) routes that are advertise through the “network” command or redistributed from an IGP. AS AS_PATH (shortest) O ORIGIN Code (IGP > EGP > Incomplete) M MED (lowest) P Paths (External > Internal) R RID (lowest)

Custom detection rule with the MITRE ATT&CK framework in Splunk

This entry is part 8 of 23 in the series Threat Detection Engineering

Views: 45Let’s walk through a practical example of creating a custom detection rule with the MITRE ATT&CK framework in Splunk. Example:Let’s say we want to create a detection rule for the technique T1566.001 – “Phishing: Spearphishing Attachment” from the MITRE ATT&CK framework. This technique involves targeted phishing attacks where attackers send malicious attachments via email … Read more

Detect brute force attacks using Splunk

Views: 50To detect brute force attacks using Splunk, you can create queries that monitor and analyze relevant log data. Here are some example Splunk queries that can help you identify potential brute force attack patterns: Explanation: This query searches for log entries containing the phrase “Failed password” and then groups them by the source IP … Read more

Suricata rules to detect Web application attacks

Views: 84Here are some examples of Suricata rules that can be used to detect web application attacks: 1. SQL Injection: 2. Cross-Site Scripting (XSS): 3. Remote File Inclusion (RFI): 4. Local File Inclusion (LFI): 5. Command Injection: 6. Server-Side Request Forgery (SSRF): These are just a few examples, and you can modify or create additional … Read more

DNS Tunneling attacks

Views: 20DNS tunneling is a technique used by attackers to bypass network security measures and exfiltrate data from a targeted network. It involves encapsulating unauthorized data within DNS (Domain Name System) queries or responses, allowing the attacker to transmit information through DNS channels. Here is a simplified diagram illustrating the DNS tunneling attack: Here’s an … Read more

Investigate SQLi attacks using Splunk

This entry is part 9 of 23 in the series Threat Detection Engineering

Views: 51Sure! Here are a few Splunk queries that can help detect web application attacks: Note: Replace <your_index> and <your_sourcetype> with the appropriate values from your Splunk environment. Also, make sure you have the corresponding lookup tables (sql_injection_keywords.csv, xss_keywords.csv, etc.) populated with relevant attack patterns. You may need to modify the queries based on your … Read more