FIRST, DCAF, and AKCESK Organized Balkan Cybersecurity Days 2024

Posted on March 30, 2024  •  3 minutes  • 446 words

On March 20, 2024, FIRST (Forum of Incident Response and Security Teams), DCAF (Geneva Centre for Security Sector Governance), and AKCESK (National Authority on Electronic Certification and Cyber Security of Albania) organised a three-day event. That was the second one of that annual event series.

I want to thank the event organisers, especially for the training. I had a chance to participate in the Threat Intelligence Pipelines course given by Jarosław Jedynak and Paweł Pawliński from Poland’s CERT.

Here are some of my notes from the event:

• ENISA shared the 2023 Threat Landscape Report on October 19, 2023.

• Automation is crucial for every aspect of incident detection and response, e.g. Intezer.

• Many threat intelligence sources, such as Censys, can detect external attack surfaces. There is another repository for lists of threat intelligence sources on github by hslatman called awesome-threat-intelligence.

• Shadow Server Foundations helps via public scanning for potentially malicious hosts and domains and shares that information with National CSIRT (Computer Security Incident Response Teams) and law enforcement agencies.

• Poland’s CERT developed an open-source vulnerability scanner called Artemis.

• Passive DNS is a concept that gets historical IP information for a domain. Mnemonic's Passive DNS is a free option for that purpose.

For the cert.pl domain name, we can see the resolved IP addresses in the past.

University of Oslo’s CSIRT’s Padde is another passive DNS search platform.

• There is a good source about certificates that web public key infrastructure relies on TLS/SSL certificates. Shortly speaking, when a certificate authority (CA) issues a certificate to a specific domain, it has been logged and known by everyone to ensure that the CA is not a rouge one. On Certificate Transparency's website, they say since 2013, there have been more than 7.5 billion logged certificates. To access those logs, Crt.Sh can be used. In CertStream.Calidog.io, the live-issued certificate feed can also be seen.

CertStream

• PhishTank is a collaboration platform that helps people decide whether an email is phishing. Cisco Talos Intelligence Group operates it. Users can submit suspected emails.

In that image, we can see a currently online phishing domain.

• Malpedia is a free source offered by Fraunhofer FKIE. It serves as a reference guide for threat actors and malware families.

• MalwareBazaar is another good reference for malware information. It is a project of abuse.ch and provides signature-based intelligence, YARA rules and other helpful information for certain malware.

Lastly, I’d like to thank course instructors Jarosław Jedynak and Paweł Pawliński for sharing those informative sources. They also organised a capture of the flag for the course subjects. It made learning much more engaging. From the organisation, I’d like to especially thank Leonora Hasani from DCAF and Era Gjata from AKCESK.