Knowledge platform

With independent articles, interviews, and videos from professionals for professionals.

A confusing mix of digital incident notification laws

We note divergent digital law trends of statutory nature – many of which have been going on for some time, starting-out two or even three decades ago. Just to give an idea in an at random sequence: modernizing and extending intellectual property laws, updating penal legislation with new crimes like hacking and computer sabotage, amending the Criminal Procedure Code with extensive powers for the police and public prosecution, strengthening the legal position of the online consumer, introducing and tightening data privacy laws, adjusting evidence laws, and implementing security regulations.

DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™

A month ago we, Ruben and Marcus, released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats. Today we released version 1.1, which contains multiple improvements: changelog. Most changes are related to additional functionality to allow more detailed administration of your visibility and detection.

By creating DeTT&CT we aim to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.

In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation. Detailed information about DeTT&CT and how it can be used, is documented on the GitHub Wiki pages. Therefore, the explanation we give in this blog will be high-level.

IT testlabs for everybody!

Not too long ago I was in a SANS course, about the Critical Security Controls. More than once our teacher Russell nudged us, suggesting that “you could be applying these to your home network as well!” which brought us to the subject of testlabs. “What would make a good testlab for us?” was something asked along the way.

To sum things up: it really doesn't have to be glamorous! As long as your lab helps you experiment and learn, it's a good lab for your! So here's a few quick reminders for IT folks who would like to get their feet wet in setting up their own labs.

Contribute to the knowledge platform?

Two Factor Authentication Cross Site Request Forgery (CSRF) vulnerability (CVE-2018-20231)

At BitnessWise we recently did a review of a few Two Factor Authentication (2FA) plugins for WordPress. First we selected some candidates based on usability and free-version features and after that performed a technical review of the plugin. This revealed a vulnerability we’d like to discuss in this post for future reference and to better understand the issue.

Abusing Exchange: One API call away from Domain Admin

In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation. This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I’ve dubbed “PrivExchange”.

Click me if you can, Office social engineering with embedded objects


Microsoft Office documents provide attackers with a variety of ways to trick victims into running arbitrary code. Of course an attacker could try to exploit an Office vulnerability, but it is more common to send victims Office documents containing malicious macros, or documents containing embedded (Packager) executable files. 

To make these attacks harder, Microsoft has been adding security measures to Office that are aimed at protecting victims from running malicious code. A well-known measure is to open documents in Protected View when they are downloaded from the internet. Office 2016 and Office 365 contain additional security measures like a GPO to disable macros altogether when a document is downloaded from the internet. And the Packer file extension blacklist that blocks running of blacklisted file types. 

TaHiTI - Threat Hunting Methodology

During several months we worked together with a number of Dutch financial institutions to create the threat hunting methodology called TaHiTI. Which stands for Targeted Hunting integrating Threat Intelligence. You can obtain it from here:

The goal of this collaboration was to reach a joint understanding of what threat hunting is and to come up with a common approach how to carry out threat hunting. As the name implies, threat intelligence has an important role within this methodology. It is used as a source for creating hunting hypotheses and during the hunting investigation to further contextualize and enrich the hunt.

The Legal Look: The Overlooked Categories of Cyber Threats

When money is not an issue companies tend to look at legal standards differently. Today, also digital entrepreneurs seem to go their own way more than ever before. Take Uber. Since its establishment in 2009, all kinds of legal conflicts of weight have occurred in various jurisdictions. From large-scale privacy violations and alleged misuse of trade secrets to claims based on structural sexual harassment and misleading a supervisory body. Exemplary, however, are the legal battles relating to its UberPOP ride-share service, executed by ordinary people who love to moonlight. This business model fundamentally clashes with the licensed passenger transport regulation that many countries have in place. You could have counted that on your fingers in advance. 

Cyber security in 2018 and 2019: Looking back and moving forward

A closer connection to the real world

From a risk perspective 2018 was an interesting year. But what will 2019 bring? In this blog series we look back but more so: we move forward. How can blockchain technology, cyber security, risk sensing and privacy help you gain a competitive advantage in the years to come? Episode 1 is about cyber security: the connection between digital and physical worlds.

Contribute to the knowledge platform?

On scarcity and the blockchain

In an otherwise perfect interview on the importance of social innovation (that I wholly agree with and that I encourage everybody to read) Jaromil said something interesting about the use of blockchain to create scarcity in the digital realm.

With the blockchain the situation is paradoxically creating scarcity, because if I give you something I will not have it anymore, and I can’t spend it anymore. The blockchain creates for the first time a condition in which it will be possible to create a unique asset in the digital dimension.

​ OPSEC for Blue Teams part 1 - Losing Defender’s Advantage

This is a three-part blog about OPSEC for Blue Teams. This first part expresses some of my ideas about the risk of alerting the adversary and OPSEC for getting OSINT and context on domains and IPs. The second part is about testing tools (I performed tests on PassiveTotal and VirusTotal) which provide context and/or OSINT in relation to OPSEC. The last part will be on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.

When talking about adversaries in this series, I mean the ones which are targeting your company. So I do not discuss a threat actor executing a malware or phishing campaign against a large and diverse group of victims. You can be less strict on following certain OPSEC rules when you know you deal with a non-targeted attack. Still, following secure practices in both cases will make sure your default behaviour is in line with good OPSEC rules.

Crypto currency or ads.. Do we get to choose the lesser evil?

Since a few months now, we are confronted with a new phenomenon. Websites that are mining crypto currency using javascript and thus the processor of the person visiting the website.

As usual the vendors of security products quickly jump on this band wagon to sell their goods.

Since it is my job to keep our organisation informed of emerging security threats, I’ve also been trying to determine how much we should worry about this new trend.

To be honest. I’m not really sure…

Can a hacker be a builder instead of a breaker?

It’s one of the certainties in life: when summer approaches and the large hacking conferences such as Black Hat and DEF CON are upon us, the security media starts spinning its wheels. These are the moments when the ‘celebrities’ of our field have their red carpet premiere – what kind of fascinating new research will they show? This research is of course often about some form of hacking – and that’s exactly the point I want to address. What is the point of proving something is broken? Are we over-valuing these “stunt hacks”? And would the industry as a whole not be better off if we focused a bit less on breaking things, freeing up some of our time for building and improving?

Contribute to the knowledge platform?