Three tips for a better IT Acceptable Use Policy

Writing an Acceptable Use Policy sounds simple. Until you get started. We’ve all heard about users being the weakest link and the source of all cyber evil. I can understand the frustration of some of my cyber colleagues, but we’ve designed complex technology and expect them to use it perfectly – are we being reasonable? [...]

Sigma engine adds support for ee-outliers backend: start tagging your Sigma hits in Elasticsearch!

Introduction We are happy to announce that the awesome people maintaining the Sigma project on GitHub have merged our work to support the ee-outliers backend! So what you can you do with this? Sigma already contained support for Elasticsearch through the es-dsl and es-qs backends. However, these generate queries then need to be integrated by [...]

Email alerting on geographically suspicious firewall connections using logalert.py, geoiplookup and AbuseIPDB

Introduction Earlier this week, we released logalert.py, a simple python tool that can be used to pipe standard output to email for the purpose of alerting. In this blog post we want to give a concrete example of how logalert.py can be used to get simple & reliable email notifications about suspicious firewall connections, based on [...]

Releasing logalert.py – Smart piping of command output to email for alerting

Introduction Today we are releasing a small but useful tool, logalert.py. This tool can be used to pipe standard output to email for the purpose of alerting. A simple caching system is used to avoid sending duplicate alerts within a certain timeframe. The tool was developed for cases where you want a simple and robust [...]

Video: Attack Surface Reduction (ASR) Bypass using VBA

Introduction Attack surface reduction rules in Windows target software behaviors that are often abused by attackers. In this blog post & video, we want to demonstrate a way of bypassing one of these rules from within VBA. Bypass Parent process selection can be done from VBA. There is an Attack Surface Reduction rule to block [...]

To Zoom or Not to Zoom

During these COVID-19 times, personal interaction with colleagues and customers is no longer straightforward. Lots of companies are therefore looking into video conferencing solutions. One of the most popular out there, Zoom, recently hit the news with multiple security and privacy issues. Although this definitely needed to be fixed by Zoom (a first update addressing [...]

Report sightings from Kibana to MISP

Introduction A problem we all face when using threat intelligence data is getting rid of false positives in our data feeds. On the other hand, reporting of true positives is equally important as it allows to increase the level of trust in an indicator. This post describes how you can report false and true positives [...]

Working from home: tell staff about phishing & data leakage [template e-mails included]

Source: gcn.com It comes as no surprize to us, as security professionals, that hackers have been exploiting the COVID-19 situation in a series of Corona-themed scams - take this recent message from Interpol, for example. With the progressive (or not) implementation of lock down-like restrictions across the world, companies are turning to remote working to [...]

Windows Hardening in the cloud with Azure Automation

In a previous blogpost, we discussed the OS hardening baselines for Windows Server 2016 written in PowerShell DSC, which we made publicly available on the NVISO GitHub page. Using this, you can define your own hardening baseline to use within your own environment. Once a baseline is defined, we want to apply it to the [...]

Windows Server Hardening with PowerShell DSC

Operating system hardening is the process of improving the security of a default OS installation to minimize the attack surface that can be exploited by an attacker. But doing this manually on each system that is deployed on-premise or in the cloud is a cumbersome task. It can lead to inconsistent security configurations because of [...]