Jump to content

Matthew Broke

  • Content Count

  • Joined

  • Last visited

  • Days Won

  • Invited by


Matthew Broke last won the day on November 12 2019

Matthew Broke had the most liked content!

Community Reputation

6 Neutral


Personal Information

  • Bio
    Intelligence operations and security stuff.

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Everything that will answer your questions is within the documentation for HIBP API v3: https://haveibeenpwned.com/api/v3/ It costs only a few dollars to get a key yourself. Alternatively, people seem to "openly" share their API keys on Github, so there is that too, but I personally bought one. > Useful? Yes. > Cool features? Yes. > Improve security? Probably. Consider obtaining API keys for multiple breached data search engines, and use h8mail by khast3x: https://github.com/khast3x/h8mail
  2. Hi everyone. I believe that there is value in documenting which data breach leak forums are currently alive. Data breach leak forums and communities: RaidForums.com BreachForums.com Cracked.to Please post with recommended additions, and we can grow the list!
  3. Breach Advisory: XKCD Forums XKCD forums were breached in July 2019. Only 1.5 months later, the credentials are already freely available on RaidForums. The take-away from this is that data breaches are happening more than ever before, and in many cases, are quickly becoming available in a thriving data market; often, data quickly becomes publicly accessible (freely). HIBP Advisory: https://haveibeenpwned.com/PwnedWebsites#XKCD "In July 2019, the forum for webcomic XKCD suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies." Breach date: 1 July 2019 Date added to HIBP: 1 September 2019 Compromised accounts: 561,991 Compromised data: Email addresses, IP addresses, Passwords, Usernames RaidForums Discussion: https://raidforums.com/Thread-XKCD-Forums Line count: 506,041 Site name: Forums.XKCD.com Format: Email : PHPBB/Bcrypt passwords Cracked lines: https://hashes.org/leaks.php?id=2588 Notes: Slightly less lines than the one that is being traded/sold by various other parties, so if you want the most up to date July dump then by all means inquire with them.
  4. I revisited this discussion, and research Intel 471 a bit. They look cool. Can you tell us a bit more regarding what you know about them, and what prompted you to give them a special mention? They provide "Adverserial Intelligence" and "Malware Intelligence", both could be useful, depending on how the datasets are presented. Adversary Intelligence Data sheet: https://intel471.com/Adversary%20Intelligence%20-%20Mar%202019.pdf Deliverables within Adversary Intelligence includes: - Automated forum/marketplace collection - Intelligence Bulletins - Information Reports - Situation Reports (SITREPs) - Underground Perspectives - Spotlights - Intelligence Briefings - Requests for Information (RFIs) The 'Adversary Intelligence' sounds like it could be useful for what we discuss in this thread... Tracking dark web forum and marketplace activity Gaining insight through context-specific and industry-specific reports on cybercrime activities Unique insight into closed-source datasets (discussions, groups, whatever) I'm really interested to know if they have a searchable database of their datasets, like competitors such as DarkOwl. This doesn't exactly seem clear... I guess I'll have to ask. Malware Intelligence Data sheet: https://intel471.com/Malware%20Intelligence%20-%20Mar%202019.pdf Features include: - Malware intelligence reports - YARA rules - IDS signatures - TTP information - Malware and botnet configuration information including webinjects - Malware command and control (C&C) commands - File and network based indicators - Everything mapped to MITRE's ATT&CK framework Well, I won't get into the 'Malware Intelligence' much on this thread -- this is information that should be discussed elsewhere, perhaps in the near future. But I wanted to say that I really like that they track active malware campaigns, identify the malware (with their TTPs and IOCs), and even map out the malware to MITRE's ATT&CK framework; for a threat intelligence specialist, this is extremely useful. I'm going to definitely take a note of this. Also, the backgrounds that Intel 471 claims that their intelligence operators possess, well, it's incredible. I'm not sure if it's just marketing or what, but if this is legit, then colour me impressed; I hope their product is as good in quality as their claims.
  5. A big thank you to Redorhcs who saw this thread and made contributions for Norway, Netherlands, Ireland, Romania, Spain, Sweden, Czech Republic, Indonesia, Germany, Italy, Japan, Australia, Belgium and France! Very much appreciated. Also, get in contact with me if you'd like a forum invite, Redorhcs! There are a lot of CERT/CIRT/CSIRT sources on this page: https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/ If someone has some time before I do, and wants to contribute, it would be useful to start identifing alerts & advisory pages from the mention sources in CMU's dataset. Cheers.
  6. Hi everyone! In the past year or so, National CERT teams have been ramping up their involvement in the cybersecurity industry. I have found their "Alerts & Advisories" pages to be very useful, and I'd like to compile a list of them. Please add to this list where you deem it necessary. I will track changes on this Github page: https://github.com/crypto-cypher/CERT-Alerts/blob/master/README.md Once a larger list is built, I'll compile the RSS sources and make a public RSS feed! - Canada - Alerts & advisories: https://cyber.gc.ca/en/alerts-advisories - Hong Kong - GovCERT alerts: https://www1.crisp.govcert.gov.hk/portal/govcert/en/alerts.xhtml - GovCERT advisories: https://www.govcert.gov.hk/en/advisories.html - GovCERT weekly bulletins: https://www.govcert.gov.hk/en/secbulletins.html - Jamaica - Ja-CERT advisories: https://www.cirt.gov.jm/cirt-advisories - Ja-CERT alerts: https://www.cirt.gov.jm/cirt-alert - Ja-CERT global alerts & advisories: https://www.cirt.gov.jm/global-alerts-and-advisories - New Zealand - CERT NZ advisories: https://www.cert.govt.nz/it-specialists/advisories/ - Singapore - SingCERT advisories & alerts: https://www.csa.gov.sg/singcert/news/advisories-alerts - United Kingdom - NCSC news: https://www.ncsc.gov.uk/section/keep-up-to-date/ncsc-news - Reports & advisories: https://www.ncsc.gov.uk/section/keep-up-to-date/reports-advisories - Weekly threat reports: https://www.ncsc.gov.uk/section/keep-up-to-date/threat-reports - NCSC blogs: https://www.ncsc.gov.uk/section/keep-up-to-date/all-blogs - United States - US-CERT alerts: https://www.us-cert.gov/ncas/alerts/2019 - US-CERT bulletins: https://www.us-cert.gov/ncas/current-activity - US-CERT current activities: https://www.us-cert.gov/ncas/current-activity - US-CERT analysis reports: https://www.us-cert.gov/ncas/analysis-reports - NJCCIC alerts & advisories: https://www.cyber.nj.gov/alerts-and-advisories Resources aside, has anyone else found these alerts and advisories very useful? If so, in what contexts did they help you and/or your organization?
  7. Hey everyone! I created a new club for Intelligence Monitoring Operations; the purpose of this group is to have a dedicated place for intelligence specialists to exchange thoughts on tradecraft and monitoring solutions.

    Currently, there are no posts, but that will change with time. Check it out while it's still public!


    1. Tarot Wake

      Tarot Wake

      Nice idea - thanks.

  8. I think that we are discussing about different types of credential leaks; I was initially focusing on standard account leaks from various websites, like what we normally see appear on Have I Been Pwned, and others. Although, in terms of validation of data legitimacy, the same constructs apply (i.e. test a subset of credentials, identify correlated users on a website, or whatever). That said, it seems challenging to "scan" for anything beyond this, including alleged internal network access; you comment on this by indicating that it would render these credentials useless. I mean, if you clearly state that you are selling access to a company's network, then they will be tipped off pretty quickly within the same day by threat intelligence analysts; if not that, the media will kindly inform them in the following days via VICE or something. To even identify what is impacted, you'd have to actually buy the dataset or account access. When I commented on the "weak" data leak detection capabilities of these services, I was only referring to what we'd normally see on generic data trading communities and forums. Sorry if I am rambling or misunderstood something here. I want to keep the conversation flowing. Automated scraping definitely won't do the trick, if the goal is to "detect breaches" as an "alert service". Going back to my point earlier in this thread, we still should check what these scrapers find for the sake of due diligence; after all, it would be quite embarassing if we, as threat intelligence analysts, missed something that is seemingly in clear-view to public-ish communities. HUMINT is absolutely necessary to maintain good intelligence capabilities. We need to create and maintain personas, and understand the markets and crime rings that we are monitoring, first-hand. Without this, we won't know what it is that we are actually looking for. When time frees up, I think I'll make another thread about persona creation for the purpose of threat intelligence operations -- this could be another fun discussion, if others are also interested. By the way, I don't blame you for not liking "breach credential alert" services. Externally, looking at data leaks on the web, this isn't terribly challenging. Internally, though, that's a different story. Hopefully with more discussions like these, we as a community, can innovate and more reasonable better services to help protect people and businesses. Thank you for taking the time for your thought out reply; in fact, I prefer this approach to controversial discussions.
  9. Peter, thank you for taking the time to thoughtfully provide feedback on this subject! I will address each of your points. 1. h8mail. This looks like a great tool for querying multiple of these APIs at once, I will definitely have to test this out. I like that it has capabilities to query so many different solutions, popular and alternative alike. I'm curious to see if it can take the output of search multiple services (i.e. domain search function), and combine the unique results into one (or if I'll have to do this myself). 2. AIL framework. I immediately like that it posseses capabilities to monitor paste sites like Pastebin (Pro), I wonder how it fares with alternatives like Slexy, etc. Anyway, there is a lot to take in here, so I'll have to do a careful analysis of AIL framework's capabilities and come back around with a new discussion on this. It seems like it does a lot! 3. "Digital Risk Protection" report. Have you actually read Forrester reports before? It is hard to justify a USD$499 price tag unless this is well vetted, and the content seems more clear. If you could elaborate on the contents of this type of report, then maybe it will become justifiable for myself and the other intelligence operators reading this. 4. RecordedFuture services. Did they actually give you a trial period? I contacted them months ago (actually, last year) and they did not want to give me a day to try their services for free. They seemed more inclined on doing an analysis on my behalf, then giving me the report findings for a proof-of-concept, but I prefer to do these things myself. I'd love to hear more about your experience with RecordedFuture, and how they fare in the market. On your point of RecordedFuture having "weak" capabilities on leaked credentials, this is no surprise to me, since this appears to be the same with their competitors as well (i.e. DarkOwl). Can you be truly controversial here? Yes, certainly, we are "professionals" after all. We need to talk about this stuff. In fact, I agree with you that Dark Web intelligence capabilities are overhyped in the market. The other fact of the matter is that businesses still demand these services, and desire the reassurance that there is no sensitive exposures relating to their name on the Dark Web (forums, marketplaces, other communities), so we as threat intelligence specialists must have solutions put in place to realize this reassurance. The purpose of monitoring the Dark Web is more for "due diligence" than "true capabilities" in my eyes, and hey, you never know, it might pay off every now and then. Perhaps non-cybersecurity companies should not blow their budget on Dark Web capabilities, but for cybersecurity-centric companies providing managed services... well, then perhaps it is worth budgeting for Dark Web capabilities so that you can provide this level of "due diligence" for client businesses across the board, at a fraction of the cost of what it would be for them to purchase and operate their own utilities independently. This is just my perspective though, I welcome you, and anyone else, to push back on this - let's debate, since no one else seems to have responsible and knowledgable discussions on this important, expensive matter (FYI, as you probably know, these services normally cost USD$40,000 - USD$500,000 depending on what you are looking for). Monitoring for actual breaches. In short, yes, I agree with your take. We must monitor websites such as Exploit.In, RaidForums, and other breach sharing sites, in addition to traditional paste websites (i.e. Pastebin, Slexy, etc.). I was thinking that PasteHunter (thanks Kev) would be a good solution for paste collections and analysis, per the thread here (and my own research): As for RaidForums, other breach sites, and ExploitIn, we will have to find another method to automate the collections of data from these websites to turn them into actionable intelligence. To some degree, manual analysis is OK, but not ideal long-term. And I'm something of a glorified script kiddie, so I'm just doing my best here! Scraping all the things! (forums and markets). Yep, we gotta be careful about these operations... and also, come on, have some respect that real administrators gotta deal with spam! Just because they're crime ring operators doesn't mean they need us DDoS'ing them! Haha. I have a pretty good set of lists available, but yeah, keeping up with them is hard and the search engines (special mention to Ahmia and their competitors) are helpful, but not fully complete. Commercial Threat Intelligence feeds. Thank you for the special mention of Intel471, I will give them some time of day and do a bit of research. I'd love to try RecordedFuture, but I need to justify buying their services. I would really like a trial period with them. Anyway, I'll take note of both of these. Additionally, I'm looking at a local commercial TI feed solution, they're newer, so I'm a bit nervous; what concerns would you personally have with trying a local solution for commercial threat intelligence services (for Dark Web specifically)? I am going to demand a trial period (even if we have to pay), so hopefully I'll be able to comment on my experience later. RecordedFuture and other popular solutions are great, but helping the local businesses and local economy (and keeping your information within your country's jursidiction) is a nice formality as well. I have more to say, and may speak more on your discussed points later, as I left some things out. But Daniel, I sincerely thank you for the time that you've spent discussing this subject with me.
  10. You say that this is only a work in progress? This is incredible! This looks pretty complete to me, but if it is not, then that is even better since it is an indication of there being more to come!
  11. What solutions exist for dark web monitoring? Both commercial and open-source (regardless of cost). I'd like to monitor for threat detections that may exist in dark web oriented communities by searching for any mentions of a company's name in third-party data breach leaks, dark web search engines, dark web forums, and dark web marketplaces. Money is no issue. For data dumps + credentials (don't shame me for calling these 'dark web' oriented): Have I Been Pwned API WeLeakInfo API DeHashed API SnusBase API For general dark web forums and marketplaces, it seems that commercial solutions are the way to go: DarkOwl RecordedFuture (Kind of) Flashpoint-Intelligence as well I'd like to emphasize on third-party commercial platforms that are capable of monitoring dark web forums, marketplaces, and ideally more community types that I did not mention. I haven't seen any discussions in security communities covering this, and this discussion will help some threat intelligence analysts and leaders somewhere in the world, surely. What other solutions exist for "dark web" monitoring solutions, based around the topics discussed in this post? How does your company monitor for "dark web" threats? Let's get creative!
  12. Personally, I believe that marketing platforms are great for social media intelligence (SOCMINT) operations. I've used Mention.com and Brand24.com, and while they may require some paid subscriptions for good features, they are fantastic for monitoring social media mentions. To compare the options available, view this community spreadsheet: https://docs.google.com/spreadsheets/d/1Jb47lzecX0D-ZCs5oh-9SqClFOjme1g9tjiCHpPO7BY/edit#gid=0
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy