INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Potential Weaponizing of Honeypot Logs [Guest Diary]
Published: 2023-08-31
Last Updated: 2023-09-01 00:16:46 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by James Turner, an ISC intern as part of the SANS.edu BACS program]
Introduction
In today's rapidly evolving cybersecurity landscape, vigilance is the key. But what if the very tools designed to detect and analyze threats could be turned against us? In this exploration, we dive into the world of honeypots, their valuable logs, and the potential vulnerabilities that lie within. Understanding the use and application of honeypots and their associated dangers isn't just a theoretical exercise; it's a necessity. Cybersecurity professionals, threat analysts, and IT administrators stand at the forefront of this battlefield and should know the dangers that lurk in the logs.
Why do we run honeypots?
A honeypot is a system which is deliberately vulnerable. These honeypots are run by analysts all over the world and help to provide useful information.
The Internet Storm Center (ISC) at SANS utilizes honeypots for several reasons:
Threat intelligence for insights into techniques, tactics, and procedures.
Early warning of emerging attacks which would affect the broader information systems community.
Study and research of malware to develop better defense mechanisms.
Training and education which provides students with real-world attack scenarios.
Better training of students to prepare as cybersecurity professionals.
Read the full entry:
https://isc.sans.edu/diary/Potential+Weaponizing+of+Honeypot+Logs+Guest+Diary/30178/
Security Relevant DNS Records
Published: 2023-09-06
Last Updated: 2023-09-06 20:24:03 UTC
by Johannes Ullrich (Version: 1)
DNS has a big security impact. DNS is partly responsible for your traffic reaching the correct host on the internet. But there is more to DNS than name resolution. I am going to mention a few security-relevant record types here, in no particular order:
I did add some records mentioned by@hquest on Twitter.
DNSSEC (DNSKEY, RRSIG, DS, NSEC3, and others...)
That is probably the most obvious security-related feature. DNSSEC is used to digitally sign DNS records. It protects the integrity of DNS responses. Note that DNSSEC does nothing to protect the confidentiality of the data. DNS requests are not affected by DNSSEC either. There are a few different records related to DNSSEC:
DNSKEY: DNS records used to retrieve the public key used to verify the DNS signatures.
RRSIG: Signature for a particular DNS records
DS: Hash of a key used to verify the key integrity.
Read the full entry:
https://isc.sans.edu/diary/Security+Relevant+DNS+Records/30194/
Analysis of a Defective Phishing PDF
Published: 2023-09-03
Last Updated: 2023-09-03 13:24:59 UTC
by Didier Stevens (Version: 1)
A reader submitted a suspicious PDF file. TLDR: it's a defective phishing PDF.
Taking a look with pdfid.py, I see nothing special, but it contains stream objects...
With the recent PDF/ActiveMime polyglots in mind, I also use option -e to get some extra information...
Read the full entry:
https://isc.sans.edu/diary/Analysis+of+a+Defective+Phishing+PDF/30184/