SANS on Untrusted Network

SANS ISC Diary - How often are redirects used in phishing in 2026?

Jan Kopriva — Mon, 06 Apr 2026 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll find out how often open redirect mechanisms were misused in phishing messages in the first quarter of 2026…

SANS ISC Diary - A React-based phishing page with credential exfiltration via EmailJS

Jan Kopriva — Fri, 13 Mar 2026 08:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting phishing site, which was implemented as a React single-page application….

SANS ISC Diary - Another day, another malicious JPEG

Jan Kopriva — Mon, 23 Feb 2026 15:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent malspam campagin delivering a multi-stage infection chain involving a JScript downloader, WMI-spawned PowerShell, and an in-memory .NET assembly extracted from a JPEG file…

SANS ISC Diary - A phishing campaign with QR codes rendered using an HTML table

Jan Kopriva — Wed, 07 Jan 2026 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing campaign, in which QR codes were implemented with the help of HTML tables instead of images…

SANS ISC Diary - Positive trends related to public IP ranges from the year 2025

Jan Kopriva — Thu, 18 Dec 2025 09:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a few positive trends related to public IP ranges from the past twelve months…

SANS ISC Diary - Use of CSS stuffing as an obfuscation technique?

Jan Kopriva — Fri, 21 Nov 2025 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing page, which - probably as an obfusctaion technique - contained a large amount of garbage CSS code…

SANS ISC Diary - A phishing with invisible characters in the subject line

Jan Kopriva — Tue, 28 Oct 2025 10:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual phishing message which contained “invisible” characters in its subject line…

SANS ISC Diary - A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years

Jan Kopriva — Tue, 02 Sep 2025 10:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss the analysis of approximately 1,900 sextortion e-mails spanning years 2021-2025, and look at interesting statistical data that resulted from this analysis…

SANS ISC Diary - Do sextortion scams still work in 2025?

Jan Kopriva — Wed, 06 Aug 2025 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss whether sextortion scams are still effective in 2025…

SANS ISC Diary - How quickly do we patch? A quick look from the global viewpoint

Jan Kopriva — Mon, 21 Jul 2025 13:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how quickly do we – as a global society – patch actively-exploited vulnerabilities when it comes to our internet-facing systems…

SANS ISC Diary - Phishing e-mail that hides malicious link from Outlook users

Jan Kopriva — Wed, 04 Jun 2025 12:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting phishing e-mail that hides the link to a malicious site from Oulook users…

SANS ISC Diary - Another day, another phishing campaign abusing google.com open redirects

Jan Kopriva — Wed, 14 May 2025 12:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an actively exploited open redirect vulnerability in Google Travel service that enables threat actors to craft links pointing to www.google.com which cause redirection to an arbitrary URL…

SANS ISC Diary - It's 2025... so why are obviously malicious advertising URLs still going strong?

Jan Kopriva — Mon, 21 Apr 2025 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing campaign, in which Google Ad service was used for redirection of victims, and at security weaknesses of web-based ad services in general…

SANS ISC Diary - A Tale of Two Phishing Sites

Jan Kopriva — Fri, 28 Mar 2025 13:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at two phishing sites based on the same phishing kit, that differed significantly (not just) in the level of obfuscation…

Measuring security operations capabilities and improving their maturity, efficiency, and effectiveness

Jan Kopriva — Tue, 04 Mar 2025 08:00:00 +0100

To slightly paraphrase Peter Drucker’s famous quote, one can’t manage what one can’t measure. This – of course – holds true even for Computer Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs). The only question is, how can we “measure” what they do in a meaningful way? This is what we will discuss in this article, which is loosely based on a presentation called ‘How to measure Efficiency in Security Operations’, which I gave at the Open Cyber Security Conference (OSCS) in Tenerife in February of 2024.

Why should we measure anything?

To my mind, the aforementioned quote says it all. If something (e.g., a SOC or a CSIRT that is being operated or used by our organization) is basically just a “black box” from which only a report or an alert sometimes emerges, how can we say whether that black box functions efficiently? Worse yet, how can we say whether it fully satisfies the needs of our organization?
For example, can we be certain that our security monitoring service truly does detect threats relevant to our organization, and does not depend only on generic detection capabilities that ignore our specific threat profile?

It should be clear that without “measuring” various aspects of CSIRT and SOC operations, there is very little we can be sure of… This is, of course, troubling if relevant security services are provided by an internal department of our own organization, but potentially even more so if the services are being delivered to us by an external MSSP.
It is therefore in the best interest of any organization that avails itself of security operations services – be they internally or externally provided – to periodically evaluate whether these services function effectively enough to fulfill the corresponding organizational needs.

What do we actually want to measure?

The vaguely defined terms of “Blue Teaming“ or “Security Operations”, which are commonly understood to be the purview of SOCs, CSIRTs and teams hidden behind various other acronyms, do – for obvious reasons – mean different things in different organizations. In order for us to have a reasonable starting point for our discussion, we therefore first have to specify which areas we actually want to measure.

For the sake of simplicity, we will consider “Security Operations” to mean service areas covered by the FIRST Services Framework, i.e., Information Security Event Management, Information Security Incident Management, Vulnerability Management, Situational Awareness and Knowledge Transfer. Of course, services provided by a specific SOC, CSIRT or any other “blue team” do not necessarily have to cover all of these areas, however since the activities of some teams do encompass all of them, we will use the Services Framework as our starting point.

With that out of the way, the time has almost come for us to take a look at how to analyze and measure maturity, efficiency and effectiveness in the various areas that the aforementioned framework covers.
Before that, however, it’s important to emphasize that security operations rely not only on technology but also on processes and personnel – just like cybersecurity and information security as a whole. And while some organizations tend to see “effectiveness”, “efficiency”, “quality” or “maturity” of their security operations programs mostly as a function of the number and variability of technical security solutions that they have employed, such a view is – for obvious reasons – unacceptably limiting (or “blatantly incorrect”, to put it in more straightforward terms).

As such, this techno-centric view would hardly lend itself to any reasonable “assessment” or “measurement” of real effectiveness of security operations. Therefore, although we will certainly not disregard technologies in our further discussion, we need to keep in mind the fact that technologies are only one part of the puzzle… And not necessarily always the most important one.

How can we actually “measure” security operations?

This is the key question.

One could define and use any number of different metrics, KPIs and SLAs for various areas of security operations (and if you are looking for ideas in this area, try looking at the SOC-CMM metrics suite). However, these probably wouldn’t be of much help if one wanted to measure any of the aforementioned Service Framework areas in a more complex or formal manner.

For this purpose, one might – of course – develop a custom methodology. However, it may be wiser not to reinvent the wheel if an effective methodology already exists. We will therefore take a look at several methodologies and frameworks for measuring or assessing different areas of security operations that are currently available.

It should be mentioned that most of these methodologies solve the issue of “how to measure” various aspects of security operations by using some (perhaps simplified or modified) version of the CMMI, and therefore, they can be said to measure maturity of different areas, rather than their efficiency or effectiveness. Nevertheless, since maturity inherently includes efficiency, effectiveness, repeatability, and sustainability, these methodologies are well-suited to our needs.

Below is a non-exhaustive list of freely available maturity models, methodologies, and relevant frameworks, along with a brief description of their primary purpose, organized by the security operations area they cover. All methodologies and frameworks that are potentially suitable for more than one service area have been listed in the one, in which their use may be considered of most benefit.

Information Security Event Management

This service area of FIRST Services Framework covers security monitoring and detection and analysis of events, which is usually the domain of Security Operations Centers.
Although there are various methodologies and frameworks that may be useful in this area (you may find some additional ones in the Information Security Incident Management section below, since this area and security event management are umbilically linked), there are two that deserve a special mention.

SOC-CMM

SOC-CMM is undoubtedly the best-known and most commonly used maturity model for SOCs. As you can see from the following picture, it is quite comprehensive – in its current version (2.3), it covers 26 aspects of SOC operations split into 5 domains (Business, People, Process, Technology and Services), and it enables one to evaluate various factors of each of these aspects using a 5-level maturity scale, and some of them (those that fall into the Technology and Services domains) also using a 4-level capability scale.

Source: SOC-CMM

For practical application, the model is available in the form of a user-friendly Excel assessment tool. Or – rather – two tools, a “Basic” and “Advanced” one. However, the Basic version is likely the only one you’ll ever need.

SOC-CMM is quite useful for informal internal evaluations, as well as formal assessments performed by third parties, and it can also be helpful when it comes to defining the optimal “target” state of operations and developing corresponding improvement roadmaps for SOCs.

In addition to this, a 3-level certification scheme based on SOC-CMM has been introduced in the final months of 2024, which enables organizations to have their Security Operations Centers officially certified by an accredited certification body. This may be of interest especially to those who feel the need to assure their client base (be it internal or external) of the quality of service provided by their SOC.

MITRE ATT&CK

Given its long history and wide-ranging use in the cyber security community, the MITRE ATT&CK framework itself requires no introduction. Nevertheless, its potential as a tool for measuring effectiveness of Security Operations Centers does deserve some short explanation, since there is no formal methodology available for this use of ATT&CK.

In the SOC space, the ATT&CK framework is commonly used for specifying the scope of detection use cases and analytics. Having all relevant detection analytics that a SOC uses mapped to ATT&CK can be quite helpful, since it gives one the ability to effectively measure what (sub-)techniques SOC is capable of detecting, and what (sub-)techniques it most likely can’t detect.

This can be considered the simplest way to use MITRE ATT&CK in the context of a SOC. However, ATT&CK can also be used to measure security monitoring capabilities and their scope in a more complex way.

While larger detection coverage (i.e., the range of malicious activities that a SOC is capable of detecting) is generally better, no SOC in the world can effectively cover all (sub-)techniques that are listed in ATT&CK. Therefore, what any SOC should try to implement first and foremost are detections for those malicious activities (i.e., ATT&CK (sub-)techniques) that are most important to its client base.

Therefore, if one first identifies these activities through an appropriate threat modeling approach, one can then quite easily compare the list of ATT&CK (sub-)techniques that the SOC needs to cover – based on the needs of its clients – with the list of (sub-)techniques that it is actually capable of detecting. If coverage of the identified threat model is not close to full, then the SOC is obviously not delivering as effective detection service, as its client base truly needs.

Using ATT&CK as a basis for an assessment (internal one or one performed by a third party) of detection capabilities and their alignment with client requirements can therefore certainly be helpful. And although – as we have already mentioned – there currently isn’t any formal methodology for this, there is at least a freely available tool named MITRE ATT&CK Navigator, which can enable us to easily document such an assessment.

For completeness’s sake, it should be mentioned that alignment of detection capabilities with client needs based on their respective ATT&CK mappings is something that is – to a certain degree – also covered by SOC-CMM .

Information Security Incident Management

Security incident management is commonly considered to be the domain of CERTs and CSIRTs. And although one maturity model reigns supreme in this area, we will mention an additional one, since it brings a somewhat different – yet relevant – viewpoint to the table…

Security Incident Management Maturity Model (SIM3)

Globally, the most well-known methodology for evaluating CSIRTs and CERTs is undoubtedly the Security Incident Management Maturity Model, or SIM3, which is currently used by FIRST, TF-CSIRT or ENISA – just to name a few.

In its current version (SIM3 v2 interim), it consists of 45 “maturity parameters” split into 4 categories (Organization, Human, Tools and Processes) that cover most high-level aspects of security incident management. Evaluation of each parameter is performed using a 5-level maturity scale.

Probably the easiest way to use the model is with the help of a freely available on-line SIM3 self-assessment tool.

Source: Open CSIRT Foundation

In practice, SIM3 is commonly used for both informal self-assessments as well as formal audits that evaluate whether maturity levels achieved by a specific team reached or exceeded some predetermined “baseline” (e.g., the Trusted Introducer Certification process is based on such a formal audit). Overall, the model is quite easy to use, and a quick, informal evaluation of a CSIRT with its help can be done in a few hours (formal assessments, of course, take significantly longer).

Although in its current form, SIM3 is primarily designed for assessing CSIRTs, it is sometimes also used for evaluation of Security Operations Centers and other types of security teams. And while, at the moment, it may not always be easy to map some aspects of SOC operations to the model, the situation is expected to change in the near future, since the Open CSIRT Foundation is currently in the process of developing modifications of SIM3 (so called “profiles”) intended for SOCs as well as PSIRTs and ISACs, which should significantly simplify application of the model (not just) within the SOC space.

CREST Cyber Security Incident Response Maturity Assessment

The Cyber Security Incident Response Maturity Assessment (or CSIR Maturity Assessment), which was developed by CREST, is another model/methodology useful for assessing incident response teams. However, unlike SIM3, SOC-CMM and most similar models, which evaluate maturity in various general areas that are important for effective SOC or CSIRT work (e.g., personnel situation, overall existence of processes, etc.), the CSIR Maturity Assessment evaluates maturity of organizational capabilities in various stages of incident response lifecycle.

Source: CREST

Two Excel-based maturity assessment tools, both of which use a 5-level maturity scale, are available for practical application of the methodology. One of them is intended for quick, high-level evaluations, and allows users to set a single maturity level for each of the 15 steps of the incident response lifecycle shown above. The second tool is much more detailed, and (similarly to SOC-CMM Excel files) includes multiple questions for each evaluated area.

For most organizations outside of the United Kingdom, this maturity model will probably be most interesting “only” as a mechanism for informal self-assessments. Nevertheless, it can certainly serve as a useful tool. This holds true even for those who already use SIM3 to assess their CSIRTs, since the CSIR Maturity Assessment is – in its complex version – much more detailed than the aforementioned maturity model, and can therefore provide a more in-depth view into some areas.

Vulnerability management

While vulnerability management is sometimes the domain of specialized vulnerability management teams, in other cases, performance of corresponding duties falls to a SOC, CSIRT or to a general IT operations department. In any case, evaluating how effectively vulnerability management is performed in the context of an organization can certainly be beneficial.

To this end, we will mention one maturity model, which deals with this area, and which is probably the most interesting one in this space (that is, if one doesn’t want to go into specifics of bug bounty programs and vulnerability report handling, since there are specialized maturity models for these areas as well).

SANS Vulnerability Management Maturity Model (VMMM)

The VMMM started its life as “only” a maturity model for vulnerability management programs, without any explicit methodology for its application. Nevertheless, few years after its publication, one of its authors released an accompanying Self-Assessment Tool (VMMM-SAT) that can guide one in its practical use.

Overall, the model consists of 5 phases of a vulnerability management lifecycle (Prepare, Identify, Analyze, Communicate and Treat), that are split into 12 areas, that can be measured using a 5-level CMMI-based scale.

Source: SANS Institute

The accompanying Self-Assessment Tool is available as an Excel document that enables one to evaluate the 12 areas of the model with the help of approximately 140 yes/no questions.

As the name of the tool suggests, it – and VMMM itself – is primarily intended/useful for self-assessments, though it can also be helpful in the development of improvement roadmaps for vulnerability management programs.

Situational Awareness

In terms of Security Operations, the topic of situational awareness can be said to be heavily intertwined with Cyber Threat Intelligence (CTI). Given this fact, there are two main maturity models/methodologies that lend themselves to use within this space.

CREST Cyber Threat Intelligence Maturity Assessment Tools

Cyber Threat Intelligence Maturity Assessment Tools are a set of 3 Excel documents that all implement the same methodology for assessing maturity of CTI programs.

As you may see in the following picture, the methodology is built around the assessment of four “stages” of an overall “CTI process” (Governance, Program Planning & Requirements, Threat Intelligence Operation and Functional Management), that are further split into 18 “steps”. Each of the areas is evaluated using a 5-level maturity scale.

Source: CREST

The reason why CREST published 3 tools for use with the same methodology is that each of the Excel files implements the methodology on a different level of detail. While the “Summary Level” tool only requires answering two or three questions per each “step”, the “Intermediate Level” tool might require answering five or six questions, and the “Detailed Level” tool might go well over twenty questions in some cases. One can therefore always choose the right tool based on the need for detail and the available time.

The assessment tools may be quite useful for performing self-assessments, however they (especially the two more detailed tools) may also be interesting for conducting third-party assessments.

Cyber Threat Intelligence Capability Maturity Model (CTI-CMM)

The CTI-CMM is a relatively recent maturity model that is heavily influenced by the C2M2 framework and stresses the need for alignment of a CTI program with stakeholder/client needs.
In its current version (1.1), it is organized into 11 domains that are evaluated using a 4-level maturity scale.

For practical application of the model, a “Beta” assessment tool is currently available in the form of an Excel document, that enables one to evaluate a CTI program through specifying the current maturity level in a total of 230 measured areas.

The model may be useful for performing self-assessment of a CTI team (or SOC/CSIRT that delivers CTI-related services) or for development of an improvement roadmap for a CTI program.

Knowledge Transfer

Although this area is part of the FIRST Services Framework, it is commonly the domain of security awareness and education specialists and exercise developers, rather than SOCs or CSIRTs. As such, it is somewhat outside of the scope we usually wish to evaluate when it comes to security operations efficiency or maturity. Nevertheless, should you require some basic model or methodology to assess how a certain organization/team is performing in at least some parts of this service area, the Security Culture Maturity Model or the SANS Security Awareness Maturity Model may be of use to you.

Where should we start?

With the number of various methodologies shown above, one can almost feel spoiled for choice, and it can be quite difficult to identify an optimal starting point/optimal methodology to start with.

Although the “right” methodology will – of course – depend on the specific service areas one wishes to assess, an approach that has worked for me quite well in the past, when I needed to “somehow” assess a SOC or a CSIRT (or another team that performs at least some level of security monitoring and incident response), was to do a quick assessment using SIM3, followed by a more in-depth analysis with the help of SOC-CMM.

Therefore, if you don’t know where to start, feel free to use this approach. Though, as you can clearly see, it is far from the only one available to you…

And should you need any help with assessing your SOC or CSIRT, don’t hesitate to reach out – it is something we do for our clients regularly as part of our services at Nettles Consulting.

SANS ISC Diary - SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die?

Jan Kopriva — Fri, 07 Feb 2025 11:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an upcoming 30-year anniversary of the publication of SSL 2.0, and on the number of internet-exposed systems that still support this protocol…

SANS ISC Diary - An unusual 'shy z-wasp' phishing

Jan Kopriva — Mon, 27 Jan 2025 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual phishing message, in which two different techniques for splitting text using unrendered characters were used with the intention of bypassing security scans…

SANS ISC Diary - Changes in SSL and TLS support in 2024

Jan Kopriva — Mon, 30 Dec 2024 12:25:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in SSL/TLS support on web servers and e-mail servers during the 12 months of 2024…

SANS ISC Diary - The strange case of disappearing Russian servers

Jan Kopriva — Mon, 25 Nov 2024 08:14:15 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent significant decrease in the number of servers seen by Shodan in Russia…

SANS ISC Diary - Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials

Jan Kopriva — Mon, 28 Oct 2024 08:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an HTML phishing attachment which used Telegram to send stolen credentials back to its authors…

SANS ISC Diary - Phishing links with @ sign and the need for effective security awareness building

Jan Kopriva — Mon, 23 Sep 2024 08:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at misuse of the user information string in a URL, and at the topic of effective security awareness building in relation to phishing…

SANS ISC Diary - Script obfuscation using multiple instances of the same function

Jan Kopriva — Mon, 05 Aug 2024 08:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting script obfuscation technique…

SANS ISC Diary - 'Reply-chain phishing' with a twist

Jan Kopriva — Tue, 16 Jul 2024 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual “reply-chain” phishing technique…

SANS ISC Diary - Support of SSL 2.0 on web servers in 2024

Jan Kopriva — Fri, 28 Jun 2024 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of web server that still support SSL v2.0…

SANS ISC Diary - Files with TXZ extension used as malspam attachments

Jan Kopriva — Mon, 27 May 2024 08:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at recent malspam campaigns distributing files with the TXZ extension…

SANS ISC Diary - It appears that the number of industrial devices accessible from the internet has risen by 30 thousand over the past three years

Jan Kopriva — Mon, 22 Apr 2024 12:25:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of internet-exposed industrial control systems…

SANS ISC Diary - The xz-utils backdoor in security advisories by national CSIRTs

Jan Kopriva — Mon, 01 Apr 2024 13:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of security advisories published by national and governmental CSIRTs in connection with the backdoor in xz-utils…

SANS ISC Diary - Increase in the number of phishing messages pointing to IPFS and to R2 buckets

Jan Kopriva — Thu, 14 Mar 2024 09:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent rise in the number of phishing messages pointing to IPFS and R2 buckets…

SANS ISC Diary - Phishing pages hosted on archive.org

Jan Kopriva — Wed, 21 Feb 2024 08:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at hosting of phishing pages on archive.org…

SANS ISC Diary - Computer viruses are celebrating their 40th birthday (well, 54th, really)

Jan Kopriva — Tue, 06 Feb 2024 10:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting anniversary related to computer viruses…

SANS ISC Diary - Interesting large and small malspam attachments from 2023

Jan Kopriva — Wed, 03 Jan 2024 15:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the largest and smallest malware samples, that my malspam traps caught last year…

SANS ISC Diary - Whose packet is it anyway: a new RFC for attribution of internet probes

Jan Kopriva — Wed, 06 Dec 2023 11:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recently published RFC which provides way for network scans performed over the internet to be attributed…

SANS ISC Diary - Phishing page with trivial anti-analysis features

Jan Kopriva — Fri, 17 Nov 2023 11:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing page with easily bypassed anti-analysis features…

SANS ISC Diary - Are typos still relevant as an indicator of phishing?

Jan Kopriva — Mon, 16 Oct 2023 09:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss whether typos are still useful as an indicator of phishing…

SANS ISC Diary - A new spin on the ZeroFont phishing technique

Jan Kopriva — Tue, 26 Sep 2023 11:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a novel phishing technique, in which text written in zero-size font is used in order to make messages appear more trustworthy…

SANS ISC Diary - The low, low cost of (committing) cybercrime

Jan Kopriva — Thu, 31 Aug 2023 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a simple phishing which demonstrates quite well that the cost of committing cybercrime can unfortunately be extremely low…

SANS ISC Diary - From small LNK to large malicious BAT file with zero VT score

Jan Kopriva — Thu, 03 Aug 2023 18:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malicious BAT file which was used in a phishing campaign last week and according to VirusTotal is still being detected as benign by all anti-virus engines it has access to…

SANS ISC Diary - Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure

Jan Kopriva — Wed, 28 Jun 2023 08:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a surprisingly high number of old network devices in Kazakhstan, which still support SSL version 2.0…

SANS ISC Diary - After 28 years, SSLv2 is still not gone from the internet... but we're getting there

Jan Kopriva — Thu, 01 Jun 2023 10:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how SSLv2 support on web servers connected to the internet is slowly “dying off”…

SANS ISC Diary - Ongoing Facebook phishing campaign without a sender and (almost) without links

Jan Kopriva — Mon, 15 May 2023 09:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting, long-term phishing campaign targeting Facebook users…

SANS ISC Diary - 'Passive' analysis of a phishing attachment

Jan Kopriva — Mon, 01 May 2023 12:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a “passive”, OPSEC-friendly approach to the analysis of HTML phishing attachments…

SANS ISC Diary - The strange case of Great honeypot of China

Jan Kopriva — Mon, 17 Apr 2023 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a sharp increase of Shodan’s detections of honeypots in China…

SANS ISC Diary - Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains

Jan Kopriva — Fri, 31 Mar 2023 14:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of security-related HTTP headers that are able to prevent “framing attacks” on one million most commonly visited domains…

SANS ISC Diary - IPFS phishing and the need for correctly set HTTP security headers

Jan Kopriva — Wed, 15 Mar 2023 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at several phishing pages hosted on a disributed file system IPFS and shortly dicuss the potential of HTTP security headers to serve as a defense against phishing…

SANS ISC Diary - HTML phishing attachment with browser-in-the-browser technique

Jan Kopriva — Thu, 16 Feb 2023 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of “browser-in-the-browser” technique in a generic phishing campaign…

SANS ISC Diary - SPF and DMARC use on 100k most popular domains

Jan Kopriva — Thu, 19 Jan 2023 12:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at SPF and DMARC use on world’s most popular domains…

SANS ISC Diary - Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog

Jan Kopriva — Wed, 11 Jan 2023 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new function of my TriOp tool and its use for passive identification of systems affected by vulnerabilities listed in the CISA KEV Catalog…

SANS ISC Diary - SPF and DMARC use on GOV domains in different ccTLDs

Jan Kopriva — Fri, 30 Dec 2022 16:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of SPF and DMARC on second-level governmental domains in different ccTLDs…

SANS ISC Diary - Traffic Light Protocol (TLP) 2.0 is here

Jan Kopriva — Thu, 04 Aug 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the Traffic Light Protocol standard, which was published by FIRST earlier this week…

SANS ISC Diary - EternalBlue 5 years after WannaCry and NotPetya

Jan Kopriva — Tue, 05 Jul 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of internet-exposed systems that are still vulnerable to the EternalBlue exploit…

SANS ISC Diary - HTML phishing attachments - now with anti-analysis features

Jan Kopriva — Wed, 01 Jun 2022 12:05:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual use of anti-debugging/anti-analysis techniques in a phishing page…

SANS ISC Diary - Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...

Jan Kopriva — Wed, 18 May 2022 07:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a sophisticated phishing campaign that offered 30 BTC (in someone else’s account) in an attempt to get victims to send it money…

SANS ISC Diary - What is the simplest malware in the world?

Jan Kopriva — Fri, 06 May 2022 09:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at what might be the simplest malware in the world…

SANS ISC Diary - MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering

Jan Kopriva — Wed, 27 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the MITRE ATT&CK framework, which was published this week…

SANS ISC Diary - How is Ukrainian internet holding up during the Russian invasion?

Jan Kopriva — Wed, 13 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the impact of the current war in Ukraine on the country’s internet…

SANS ISC Diary - Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW

Jan Kopriva — Wed, 26 Jan 2022 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the high number of HP servers that have their out-of-band configuration interface exposed to the internet…

SANS ISC Diary - Phishing e-mail with...an advertisement?

Jan Kopriva — Tue, 18 Jan 2022 10:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual phishing message that contained text reminiscent of an advertisement for Xerox products…

SANS ISC Diary - Do you want your Agent Tesla in the 300 MB or 8 kB package?

Jan Kopriva — Fri, 31 Dec 2021 13:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at some of the largest and smallest malicious PE files that were caught by my malspam trap in 2021…

SANS ISC Diary - PowerPoint attachments, Agent Tesla and code reuse in malware

Jan Kopriva — Mon, 20 Dec 2021 17:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam message with macro-enabled PowerPoint attachment that turned out to be first stage of an Agent Tesla infection chain…

SANS ISC Diary - Phishing page hiding itself using dynamically adjusted IP-based allow list

Jan Kopriva — Wed, 24 Nov 2021 12:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting protection mechanism used on a phishing site to deny access to it to anyone but the victim who first clicked the link in a phishing mail…

SANS ISC Diary - TLS 1.3 and SSL - the current state of affairs

Jan Kopriva — Tue, 28 Sep 2021 11:20:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the current state of adoption of TLS 1.3 and disposal of SSL 2.0 and 3.0…

SANS ISC Diary - Phishing 101: why depend on one suspicious message subject when you can use many?

Jan Kopriva — Thu, 16 Sep 2021 09:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing that tried to use multiple suspicious message subjects to lure the recipient to a phishing site…

SANS ISC Diary - There may be (many) more SPF records than we might expect

Jan Kopriva — Wed, 25 Aug 2021 11:55:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the surprisingly high number of SPF records set for domains in the CZ TLD…

SANS ISC Diary - ProxyShell - how many Exchange servers are affected and where are they?

Jan Kopriva — Mon, 09 Aug 2021 12:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Exchange serveres vulnerable to the ProxyShell attack…

SANS ISC Diary - A sextortion e-mail from...IT support?!

Jan Kopriva — Wed, 28 Jul 2021 08:35:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual sextortion phishing, in which its author claimed to work for an IT service company hired by recipients e-mail provider…

SANS ISC Diary - One way to fail at malspam - give recipients the wrong password for an encrypted attachment

Jan Kopriva — Wed, 14 Jul 2021 13:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam campaign, whose authors failed to include a correct password to decrypt the malicious attachment…

SANS ISC Diary - Phishing asking recipients not to report abuse

Jan Kopriva — Tue, 22 Jun 2021 15:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing message that ended with an unusual request…

SANS ISC Diary - Architecture, compilers and black magic, or 'what else affects the ability of AVs to detect malicious files'

Jan Kopriva — Wed, 09 Jun 2021 13:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how the use of a compiler affects the ability of anti-malware tools to detect malicious code…

SANS ISC Diary - All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not

Jan Kopriva — Thu, 27 May 2021 11:30:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the difference (or lack thereof) different binary-to-text encodings make when it comes to anti-malware evasion…

SANS ISC Diary - Number of industrial control systems on the internet is lower then in 2020...but still far from zero

Jan Kopriva — Wed, 12 May 2021 13:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Industrial Control Systems accessible from the internet…

SANS ISC Diary - Hunting phishing websites with favicon hashes

Jan Kopriva — Mon, 19 Apr 2021 11:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how HTTP favicon hashes may be used to identify IP addresses hosting phishing websites…

SANS ISC Diary - Malspam with Lokibot vs. Outlook and RFCs

Jan Kopriva — Tue, 06 Apr 2021 18:30:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In it, we’ll take a look at an interesting malspam message carrying the Lokibot infostealer and also causing quite unusual behavior in Outlook…

SANS ISC Diary - Old TLS versions - gone, but not forgotten... well, not really 'gone' either

Jan Kopriva — Tue, 30 Mar 2021 10:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in the number of web servers, which support TLS 1.0 and TLS 1.1…

SANS ISC Diary - 50 years of malware? Not really. 50 years of computer worms? That's a different story...

Jan Kopriva — Tue, 16 Mar 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at Creeper, the first computer worm, which was created 50 years ago - according to some sources, on this very day in 1971…

SANS ISC Diary - Qakbot in a response to Full Disclosure post

Jan Kopriva — Tue, 23 Feb 2021 11:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting e-mail message carrying Qakbot downloader, which appeared to be sent in a response to a historical Full Disclosure mailing list post…

SANS ISC Diary - Agent Tesla hidden in a historical anti-malware tool

Jan Kopriva — Thu, 11 Feb 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting sample of Agent Tesla, which was hidden in the code of a legitimate historical anti-malware tool…

SANS ISC Diary - TriOp - tool for gathering (not just) security-related data from Shodan.io

Jan Kopriva — Wed, 27 Jan 2021 11:00:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at TriOp - my recently published tool, which enables anyone to periodically gather interesting data from Shodan.

SANS ISC Diary - From a small BAT file to Mass Logger infostealer

Jan Kopriva — Mon, 04 Jan 2021 15:50:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting BAT file from 2020, which turned out to be a downloader for the Mass Logger infostealer.

SANS ISC Diary - TLS 1.3 is now supported by about 1 in every 5 HTTPS servers

Jan Kopriva — Wed, 30 Dec 2020 12:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the increse in support of TLS 1.3 by HTTPS servers and the decrease in support of SSL 2.0.

SANS ISC Diary - Want to know what's in a folder you don't have a permission to access? Try asking your AV solution...

Jan Kopriva — Tue, 29 Dec 2020 15:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look a small issue present in many anti-malware tools, which may be used to bypass file system level folder listing permissions.

SANS ISC Diary - A slightly optimistic tale of how patching went for CVE-2019-19781

Jan Kopriva — Fri, 18 Dec 2020 10:00:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at how many publicly accessible systems are still vulnerable to CVE-2019-19781, AKA Shitrix.

SANS ISC Diary - Vulnerabilities don’t disappear just because we don’t talk about them anymore

Jan Kopriva — Mon, 16 Nov 2020 11:08:20 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at couple of pre-2020 high-impact vulnerabilities, which still affect surprising number of publicly accessible systems.

SANS ISC Diary - SMBGhost - the critical vulnerability many seem to have forgotten to patch

Jan Kopriva — Wed, 28 Oct 2020 11:00:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the concerning number of machines connected to the internet, that are still not patched for the critical SMBGhost vulnerability.

SANS ISC Diary - BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon

Jan Kopriva — Thu, 22 Oct 2020 11:00:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at phishing campaigns spreading BazarLoader malware and the lures which they use.

SANS ISC Diary - Phishing kits as far as the eye can see

Jan Kopriva — Fri, 09 Oct 2020 07:40:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at phishing kits, which are offered on the indexed part of the web.

SANS ISC Diary - Slightly broken overlay phishing

Jan Kopriva — Mon, 21 Sep 2020 12:50:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting (and slightly broken) phishing campaign, which overlays legitimate pages with fake login prompts.

SANS ISC Diary - A blast from the past - XXEncoded VB6.0 Trojan

Jan Kopriva — Fri, 04 Sep 2020 09:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a campaign in which the malicious actors decided to go reall “old school” when it comes to file formats they would use.

SANS ISC Diary - Security.txt - one small file for an admin, one giant help to a security researcher

Jan Kopriva — Thu, 27 Aug 2020 09:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the draft standard for “A File Format to Aid in Security Vulnerability Disclosure”, better known as security.txt.

SANS ISC Diary - Definition of 'overkill' - using 130 MB executable to hide 24 kB malware

Jan Kopriva — Fri, 14 Aug 2020 14:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a 130 MB EXE carrying within it a 24 kB malicious payload.

SANS ISC Diary - What pages do bad bots look for?

Jan Kopriva — Sat, 01 Aug 2020 16:15:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at which interesting pages “bad” bots look for the most on web servers.

SANS ISC Diary - Couple of interesting Covid-19 related stats

Jan Kopriva — Tue, 21 Jul 2020 10:55:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at how regional travel restrictions impact (or don’t) the number of IP addresses which expose remote access protocols to the internet.

SANS ISC Diary - Using Shell Links as zero-touch downloaders and to initiate network connections

Jan Kopriva — Wed, 24 Jun 2020 09:45:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a weakness handling of LNK files in Windows, through which one may force the OS to download an arbitrary file from a remote server any time the shortcut file is displayed.

SANS@MIC - Catch and Release: Phishing Techniques for the Good Guys

Jan Kopriva — Thu, 18 Jun 2020 19:10:00 +0200

I did a SANS@MIC talk yesterday, in which I discussed interesting phishing techniques (mainly) from the point of view of red teamers. Since the recording was published today, if you didn’t get the chance to join us live, you may take a look at how it went on YouTube.

SANS ISC Diary - Broken phishing accidentally exploiting Outlook zero-day

Jan Kopriva — Thu, 18 Jun 2020 11:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a phishing, which accidentally exploited a 0-day vulnerability in Outlook, which allows for creation or modification of links when an e-mail is forwarded by Outlook.

SANS ISC Diary - Frankenstein's phishing using Google Cloud Storage

Jan Kopriva — Wed, 27 May 2020 10:40:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a strange phishing campaign, which was, due to combination of quite sophisticated and extremely amateurish components, reminiscent of the creation of Shelley’s Dr. Frankenstein.

SANS ISC Diary - Agent Tesla delivered by the same phishing campaign for over a year

Jan Kopriva — Tue, 28 Apr 2020 08:45:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a phishing campaign that has been running almost unchanged for more than a year and seems to be distributing exclusively Agent Tesla.

SANS ISC Diary - Look at the same phishing campaign 3 months apart

Jan Kopriva — Mon, 13 Apr 2020 11:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at two phishing e-mails from the same campaign sent out 3 months apart.

SANS ISC Diary - Crashing explorer.exe with(out) a click

Jan Kopriva — Mon, 30 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles self-referential links, which makes it possible to use specially crafted URL and LNK files to crash Explorer.

SANS ISC Diary - Desktop.ini as a post-exploitation tool

Jan Kopriva — Mon, 16 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles desktop.ini files, which makes it possible to use them as an interesting post-exploitation tool.

UPDATE 27. 5. 2020: I put together a shor video demonstrating the vulnerabiltiy while preparing materials for SANSFIRE 2020. You may find it here.

SANS ISC Diary - Secure vs. cleartext protocols – couple of interesting stats

Jan Kopriva — Mon, 02 Mar 2020 06:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we delve into the support of HTTP and HTTPS among web servers on the internet, as well as support for Telnet and SSH, over the last six months.

SANS ISC Diary - Quick look at a couple of current online scam campaigns

Jan Kopriva — Tue, 25 Feb 2020 06:57:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at couple of online scam campaigns I came accross in the last weeks. A closer look at one of the landing pages used in the campaign, which was almost certainly authored by the FizzCore group, may be found here (in Czech).

SANS ISC Diary - Discovering contents of folders in Windows without permissions

Jan Kopriva — Tue, 18 Feb 2020 07:18:21 +0100

A Diary of mine was published today on the SANS Internet Storm Center. This one deals with a strange side effect of the way in which Windows deals with file permissions, which enables any user, regardless of permissions, to brute-force contents of any local folder.

UPDATE 20. 5. 2020: I put together a shor video demonstrating the weakness/vulnerability while preparing materials for SANSFIRE 2020. You may find it here.

SANS ISC Diary - Current PayPal phishing campaign or 'give me all your personal information'

Jan Kopriva — Mon, 10 Feb 2020 09:37:58 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a current phishing campaign which shows quite well the current “let’s get all the users' data” mentality of the attackers.

SANS ISC Diary - Analysis of a triple-encrypted AZORult downloader

Jan Kopriva — Mon, 03 Feb 2020 07:45:10 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at analysis of an interesting malicious document which turned out to be AZORult downloader. What made it stand out - among its other aspects - were 3 layers of home-grown encryption…

EDIT 04/02/2020: Tom from Threat Post liked the diary and wrote an article based on it - you may find it here.

SANS ISC Diary - Picks of 2019 malware - the large, the small and the one full of null bytes

Jan Kopriva — Thu, 16 Jan 2020 07:52:08 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at what last year brought us, when it comes to malware delivered by e-mail, specifically at the smallest and largest malicious files I found in my e-mail quarantine.

SANS ISC Diary - Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!

Jan Kopriva — Fri, 13 Dec 2019 08:22:37 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at the use of TLS (and SSL) on banking sites all over the world.

SANS ISC Diary - Phishing with a self-contained credential-stealing webpage

Jan Kopriva — Fri, 06 Dec 2019 07:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at an interesting phishing message, which carried a complete phishing web page as its attachment.

SANS ISC Diary - E-mail from Agent Tesla

Jan Kopriva — Thu, 05 Dec 2019 07:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a multi-stage downloader for Agent Tesla.

SANS ISC Diary - Analysis of a strangely poetic malware

Jan Kopriva — Wed, 04 Dec 2019 08:14:33 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a macro-based dropper sent to the Internet Storm Center by one of our readers.

SANS ISC Diary - Lessons learned from playing a willing phish

Jan Kopriva — Tue, 26 Nov 2019 12:08:19 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at baiting phishing attackers and at some of the lessons we may learn from it.

SANS ISC Diary - Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?

Jan Kopriva — Sun, 10 Nov 2019 11:55:40 +0100

A Diary of mine was published today on the SANS Internet Storm Center. If you wondered whether the recent “BlueKeep worm scare” had any impact when it comes to the number of vulnerable systems out there, then this one is for you.

EDIT 13/11/2019: Shaun from The Register liked the post and wrote an article based on it - you may find it here.

SANS ISC Diary - EML attachments in O365 - a recipe for phishing

Jan Kopriva — Thu, 31 Oct 2019 11:15:35 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the absence of filtering of EML attachments in O365 and what it can lead to.

SANS ISC Diary - Phishing e-mail spoofing SPF-enabled domain

Jan Kopriva — Thu, 17 Oct 2019 11:49:25 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at SPF and when even SPF-enabled domains may be spoofed.

SANS ISC Diary - Tricky LNK points to TrickBot

Jan Kopriva — Tue, 03 Sep 2019 13:06:21 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at analyzing a malicious LNK file which leads us to a sample of Trickbot.

SANS ISC Diary - Open Redirect: A Small But Very Common Vulnerability

Jan Kopriva — Wed, 28 Aug 2019 14:27:02 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. In this one, I discuss open redirect vulnerabilities and how to find them. If you’ve never heard of open redirects, this might be a useful introductory text.

SANS ISC Diary - The good, the bad and the non-functional

Jan Kopriva — Thu, 08 Aug 2019 21:31:08 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. If you’ve wondered how do the less usual cyber attacks look, it might be worth a read…