🔰 معرفی Vuls: اسکنر آسیب‌پذیری بدون نیاز به agent برای لینوکس و FreeBSD

✅ ابزار Vuls یک اسکنر آسیب‌پذیری متن‌باز و بدون نیاز به نصب عامل (Agent-less) است که برای سیستم‌عامل‌های لینوکس و FreeBSD طراحی شده است. این ابزار با استفاده از اطلاعات منابعی مانند NVD، OVAL و دیگر پایگاه‌های داده، به شناسایی و گزارش آسیب‌پذیری‌های موجود در سیستم‌ها می‌پردازد.


✅ ویژگی‌های کلیدی Vuls:
🔸بدون نیاز به نصب عامل: Vuls می‌تواند از طریق SSH به سرورهای هدف متصل شده و بدون نیاز به نصب نرم‌افزار اضافی بر روی آن‌ها، اسکن‌های خود را انجام دهد.
🔸پشتیبانی از چندین سیستم‌عامل: این ابزار از توزیع‌های مختلف لینوکس مانند CentOS، Ubuntu، Debian و همچنین FreeBSD پشتیبانی می‌کند.
🔸اسکن سریع و عمیق: Vuls دارای حالت‌های اسکن سریع (بدون نیاز به دسترسی ریشه) و اسکن عمیق (با جزئیات بیشتر) است که به کاربران امکان می‌دهد بر اساس نیاز خود انتخاب کنند.
🔸تحلیل پویا: قابلیت اجرای دستورات بر روی سرورهای هدف برای جمع‌آوری اطلاعات و شناسایی فرآیندهایی که نیاز به راه‌اندازی مجدد دارند.
🔸شناسایی آسیب‌پذیری‌های بسته‌های غیرسیستمی: توانایی شناسایی آسیب‌پذیری‌ها در بسته‌ها و کتابخانه‌های غیرسیستمی، مانند نرم‌افزارهای کامپایل‌شده دستی یا کتابخانه‌های زبان‌های برنامه‌نویسی.

✳️ مزایای استفاده از Vuls:
🔸کاهش بار مدیریتی: با خودکارسازی فرآیند شناسایی آسیب‌پذیری‌ها، نیاز به بررسی دستی کاهش می‌یابد.
🔸اطلاع‌رسانی به‌موقع: قابلیت ارسال گزارش‌ها از طریق ایمیل یا Slack برای اطلاع‌رسانی سریع به تیم‌های مرتبط.
🔸یکپارچگی با ابزارهای دیگر: امکان استفاده از رابط کاربری وب مانند VulsRepo برای تحلیل نتایج اسکن‌ها.

⚠️ محدودیت‌ها و چالش‌ها:
❗️عدم به‌روزرسانی خودکار: Vuls تنها آسیب‌پذیری‌ها را شناسایی می‌کند و به‌روزرسانی بسته‌ها را انجام نمی‌دهد.
❗️نیاز به پیکربندی اولیه: برای استفاده بهینه، نیاز به پیکربندی صحیح و تنظیمات اولیه دارد.

وب‌سایت رسمی: vuls.io
گیت‌هاب: github.com/future-architect/vuls

#Vuls
#Vulnerability

T.me/ICTlive

🔰 بهترین راهکار برای مقابله با حملات باج‌افزاری از دیدگاه یک Incident Responder :

باج‌افزارها یکی از خطرناک‌ترین تهدیدات سایبری هستند که داده‌های شما را قفل کرده و در ازای بازگرداندن آن‌ها، درخواست پرداخت پول می‌کنند. از دیدگاه یک متخصص Incident Response، بهترین راهکارها برای مقابله با این تهدید عبارت‌اند از:

1️⃣ پیشگیری قبل از وقوع حمله:

🔸پشتیبان‌گیری منظم از داده‌ها روی سیستم‌های آفلاین و ایمن (نسخه‌های Cold Backup).
🔸به‌روز نگه داشتن سیستم‌عامل‌ها، نرم‌افزارها و تجهیزات امنیتی.
🔸آموزش پرسنل برای تشخیص ایمیل‌ها و لینک‌های مشکوک (فیشینگ).
🔸استفاده از ضدباج‌افزار و نرم‌افزارهای EDR (Endpoint Detection and Response). (در پست های قبلی در مورد EDR صحبت کرده ایم)

2️⃣ تشخیص سریع و واکنش آنی

🔸پیاده‌سازی سیستم‌های SIEM و مانیتورینگ برای تشخیص رفتارهای غیرعادی در شبکه.
🔸راه‌اندازی Playbook و Runbook برای تیم‌های پاسخ به رخداد.
🔸قطع سریع ارتباط سیستم‌های آلوده از شبکه برای جلوگیری از گسترش حمله. (بخصوص سرویس های اشتراکی فایل و ...)

3️⃣ اقدامات بعد از حمله

🔸تجزیه‌وتحلیل دقیق حمله برای شناسایی بردارهای نفوذ و نقاط ضعف.
🔸بازگرداندن سیستم‌ها از نسخه‌های پشتیبان سالم.
🔸مستندسازی حادثه و آموزش درس‌آموخته‌ها به تیم IT و امنیت سازمان.

❗️ نکته کلیدی:
"پیشگیری" بهترین دفاع در برابر باج‌افزار است. هیچ‌وقت به مجرمان سایبری باج ندهید! پرداخت باج، شما را به هدفی جذاب‌تر برای حملات بعدی تبدیل می‌کند و تضمینی برای بازگرداندن داده‌ها وجود ندارد.

✳️لینک زیر برای Decrypt کردن برخی از باج افزار ها مناسب هست:
https://www.nomoreransom.org/en/decryption-tools.html

#Ransomware
#Incident_Response

T.me/ICTlive

🔰Best Open-Source Malware Analysis Tools
Malware analysis tools are typically categorized into two main approaches:

1️⃣ Static Analysis: Examining a file without executing it (code, PE structure, strings, signatures, etc.).
2️⃣ Dynamic Analysis (Sandboxing) : Executing the file in a controlled environment to observe its behavior (network connections, registry changes, processes, etc.).

🔰 Open-Source and free Tools
Static Analysis
🔸 Radare2 / Cutter: Reverse engineering framework and disassembler.
🔸Ghidra (NSA): Powerful reverse engineering tool with GUI support.
🔸Capstone / Keystone: Lightweight disassembler and assembler for scripting.
🔸Detect It Easy (DIE): Identifies packers/compilers of executables.
🔸YARA: Rule-based engine for malware detection.
🔸PEStudio: Analyzes PE file structure (free and pro versions).

Dynamic Analysis
🔹 Cuckoo Sandbox: The most popular open-source sandbox for running malware in VMs.
🔹CAPEv2: Enhanced Cuckoo version with unpacking and config extraction.
🔹REMnux: Linux distribution tailored for malware analysis.
🔹Sysinternals Suite (Microsoft): Tools like Process Monitor, Autoruns, TCPView.
🔹Volatility / Rekall: Memory forensics frameworks to analyze malware artifacts.

#Malware
#Ghidra
#Volatility

T.me/ICTlive

🔰CAPEC vs STIX , Differences & Challenges

If you’ve heard about CAPEC and STIX, you probably know their names, but few pay attention to their differences and pain points:

✳️CAPEC is a relatively clean catalog: attack descriptions, mitigations, flows, and examples. Great for understanding and training.

✳️STIX, on the other hand, is object-oriented: everything is stored as objects and relationships (Attack Pattern, Course of Action, Relationship, etc.). Excellent for graphs and CTI, but often noisy for humans.

◾️Challenges:
In raw CAPEC, everything is in one place and easy to read, but links to ATT&CK and other sources are limited.
In STIX, linking and integration with the CTI ecosystem is stronger, but analysts and researchers have to wade through thousands of objects and relationships just to reach the same simple explanation.
For learning and R&D, CAPEC is simpler and more manageable. For automation and threat graphs, STIX is the better fit.

#CAPEC
#STIX
#MITRE_ATT&CK

t.me/ICTlive

🔰Retrieval-Augmented Generation (RAG):

RAG is a key technique that combines external knowledge retrieval with large language models to improve accuracy and reliability.

✳️Common types of RAG include:

🔸Vanilla RAG: the basic approach: retrieve documents + generate answer.

🔸Hybrid/modular RAG: combines multiple retrieval methods (e.g., vector + keyword, or APIs).

🔸Agentic RAG: uses agents to dynamically decide what and how to retrieve.

🔸Self-RAG: the model evaluates and filters retrieved content before generating.



Which RAG approach do you think balances accuracy and efficiency best: Vanilla, Hybrid, Agentic, or Self-RAG, and why?

#LLM
#RAG

t.me/ICTlive

🔰Cyber Analytics Repository (CAR), Turning Raw Data into Actionable Cyber Intelligence
In today’s cybersecurity landscape, data is everywhere, but intelligence is not.

The Cyber Analytics Repository (CAR), developed by MITRE, bridges this gap by providing a structured collection of analytic methods, use cases, and detection logic to identify malicious behavior across enterprise environments.
CAR defines a standardized approach to detecting adversary techniques described in the MITRE ATT&CK
framework.

Each analytic in CAR includes:
_ A clear detection logic (based on real-world adversary behavior)
_ Mapping to ATT&CK techniques and data sources
_ Implementation examples using common telemetry sources
_ Descriptions of detection rules and evaluation strategies

Why it matters:
CAR helps security analysts, threat hunters, and SOC teams move from reactive monitoring to proactive, behavior-driven detection.

It supports organizations in:
_ Enhancing threat detection coverage
_ Standardizing analytic sharing across teams
_ Accelerating research and detection development

If you’re working on SOC automation, AI-driven threat analysis, or federated detection frameworks, CAR offers an excellent foundation for aligning analytics with adversary behaviors.

#CyberSecurity
#ThreatHunting
#MITREATTACK
#CAR
#SOC

t.me/ICTlive

🔰The hidden challenges of using MITRE ATT&CK in SOCs:

🔶 Operational & Technical Hurdles:

🔸Mapping SIEM data to ATT&CK techniques isn’t straightforward, every log source speaks a different dialect.

🔸Sensor coverage gaps mean some techniques are invisible in telemetry.

🔸Frequent ATT&CK updates demand continuous alignment and tuning.

🔷 Human & Organizational Barriers:

🔹Analysts interpret the same event differently, “T1059 or T1027?” becomes a debate.

🔹Many teams lack structured processes or consistent mapping guidelines.

🔹In the rush of incident response, accurate ATT&CK documentation is often skipped.

🔶 Strategic Challenges:

🔸Measuring SOC effectiveness via ATT&CK metrics is still vague.

🔸Threats evolve faster than frameworks, new APT tactics often appear before they’re documented.

🔸Limited time, limited resources, unlimited adversaries.

✳️ How does your SOC integrate MITRE ATT&CK today? 🤔

#SOC
#MITREATTACK
#ThreatDetection

T.me/ICTlive

🔰The growing challenges in SOC - CERT coordination:

In many organizations, the lack of effective collaboration between the security operations center (SOC) and the computer emergency response team (CERT) has become one of the key weaknesses in cyber defense.

Main challenges today include:
1- Siloed data and disconnected tools: no unified visibility across SIEM, EDR, and Threat Intelligence platforms.
2- Unclear escalation processes: SOC teams are often unsure when and how to hand over incidents to CERT.
3- Different priorities and timelines: SOC focuses on real-time response, while CERT requires in-depth, long-term analysis.
4- Missing feedback loop: lessons learned by CERT rarely flow back into SOC playbooks.
5- High workload and staff shortages: leading to burnout and reduced coordination between teams.

✳️Solution: define joint playbooks, use shared Threat Intelligence platforms (like MISP or OpenCTI), and conduct joint incident response exercises.

#SOC
#CERT

t.me/ICTlive

🔰Nowadays, antivirus solutions leverage Artificial Intelligence more than ever — using machine learning for binary and behavioral analysis, anomaly detection in traffic and commands, threat clustering, and noise reduction for analysts.
However, signature-based detection still plays a key role, especially for the fast and accurate identification of known threats, with low error rates and minimal resource consumption.

What has changed?
AI: Excellent at detecting new, polymorphic, and targeted attacks. Ideal for behavioral analysis, EDR systems, and complex pre-execution filters.
Signatures: Fast, explainable, and resource-efficient for thousands of old or well-known threats.

So, are signatures still “strong”?
✅Yes, they remain highly effective in their domain.
But against modern and evolving threats, the combination of signatures and ML/AI delivers the best results.

✳️ signatures for known patterns, and AI for unknown or suspicious behaviors.

#AntiVirus
#ML_AI
#Signature

t.me/ICTlive

While diving deep into CPE mappings, I noticed that Nmap still uses the old CPE 2.2 format (the good old cpe:/a:vendor:product:version style).
Meanwhile, NVD has long moved on to CPE 2.3 (cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*).

So there I was, staring at my Nmap results thinking, “Come on, it’s 2025, why are we still living in 2.2?” 😅

Guess it’s time to write a little script to upgrade Nmap’s CPEs.

#Nmap
#CPE
#NVD

T.me/ICTlive

🔰 What LangChain Brings to AI Development:

LangChain is one of the most powerful frameworks for building real, production-ready LLM applications. It helps you:
🔹 Connect LLMs to real data
Documents, databases, APIs, and vector stores.
🔹 Build reliable RAG systems
Accurate retrieval, context management, and citations.
🔹 Create smart AI agents
Multi-step reasoning, tool use, and automated workflows.
🔹 Deploy production pipelines
Caching, monitoring, tracing, and scalable endpoints.
🔹 Use seamless integrations
OpenAI, Llama, Milvus, Pinecone, AWS, Azure, and more.

⁉️Challenge Question:
As LLM-powered systems gain access to tools, APIs, and sensitive data through frameworks like LangChain, how can we ensure they remain resistant to prompt injection and unintended actions?


#LangChain
#RAG
#LLM

T.me/ICTlive

🔰Censys!

Censys is a powerful internet intelligence platform that continuously scans and maps the public internet, providing deep visibility into exposed devices, services, certificates, and attack surfaces. It enables security professionals and researchers to better understand global infrastructure, identify risks, and strengthen cyber defense strategies.



✳️Learn more:
https://docs.censys.com/docs/research-access-to-censys-data/

This link introduces you to the core features and research potential of this powerful tool, offering insight into how Censys data can support advanced cybersecurity analysis and academic research.


#CyberSecurity
#ThreatIntelligence
#OSINT

T.me/ICTlive

🔰How do vulnerability scanners actually detect vulnerabilities?

Different tools rely on different techniques to identify what software and services are running:
🔹Banner Grabbing – extracting version information from network responses
🔹Fingerprinting – recognizing patterns and protocol behavior
🔹Protocol-based Inspection – deep analysis of protocol messages
🔹Passive Detection – observing traffic without interaction
🔹Active Probing – sending crafted requests to trigger responses

However, despite using different detection approaches, the ultimate goal is the same:
To accurately determine which product and version exist on the target system.

For this reason, most scanners normalize their detected result into a global standard identifier:
CPE — Common Platform Enumeration
Once the software is mapped to a CPE entry, it can be matched against global vulnerability databases such as CVE / NVD to determine whether that specific product/ version is known to be vulnerable.

#Vulnerability
#CPE_CVE

T.me/ICTlive

🔰Wireshark vs Arkime, Why Both Matter in Network Security

Understanding network traffic analysis isn’t about choosing Wireshark or Arkime, it’s about knowing when to use each.

🔶Wireshark:
+Packet-Level Visibility
+Inspects traffic packet by packet
+Ideal for deep protocol debugging
+Best for small captures and detailed inspection
+Analyst-driven and manual analysis

Think of Wireshark as a microscope: Perfect for zooming into a single packet and understanding exactly what is happening.

🔶Arkime:
+Session-Level Intelligence
+Analyzes traffic at the session/flow level
+Optimized for large-scale PCAPs
+Powerful search and filtering
+Designed for Threat Hunting & Network Forensics
+Web-based UI with tagging and metadata

Think of Arkime as a satellite view: It shows who talked to whom, when, how long, and how much data.

🔹"Use Wireshark to zoom in"
wireshark.org

🔹"Use Arkime to see the big picture"
arkime.com

#Wireshark
#Arkime
#Packet_Analysis

T.me/ICTlive