Mapping Attack Methodology to Controls

Posted on Updated on

I’m handler for today and I’ve got a post up about mapping controls.  One of the key points is to make sure you do this for each attach method you respond too.


522 Error Code for the Win

Posted on Updated on

I’m ISC Handler for the day stop by the site and see my latest post about using HTTP error code 522 to detect infected machines.

Kippo Honeypot Cousin Cowrie

Posted on

I’m ISC handler of the day and I’ve got a great post on setting up Apparmor, SQlite3, and Dshield with Cowrie. Please drop by ISC and check it out.

Automating Metrics using RTIR REST API

Posted on

I’m handler for the day at the SANS Storm Center. Please check out my post for creating REST API script.

WPA-PSK Research Paper Review

Posted on

I’m Handler for the day! Check out my post on the new WPA-PSK paper.

Stormcenter Post

Posted on Updated on

My first post as a Handler is up. It talks about litecoin mining and backdoors.


Posted on

My SANS GCIA gold paper has been published! It was a lot of work, but I’m very excited about it.  You can get the paper here and the software here.


Responding to incidents in an efficient manner is critical for all CIRTS. This paper presents a new open
source tool for the enterprise. With this tool, responders will be able to detect incidents using aggregated
data collected from hosts and applying anomaly detection. OHIDS includes a sensitive data finder to allow
appropriate escalation of the incident. This software can be utilized in a proactive manner by removing SSNs
and credit card data before incidents occur or by detecting unauthorized software running.