IT Security Blog

16. Oct, 2018

When was the first time I did a public speaking? That is something I could no longer remember. Even never imagine doing it as I was very shy standing in front of the class even just for recitation during high school days.

It was 2003 when I was given a chance to teach in Informatics Philippines (Robinson Galleria Branch) related to Red Hat Linux 7.0, I discovered that it was so natural for me to deliver a class presentation and share knowledge with co-IT professionals. I still remember those students from the government office (POEA) when they were starting to adopt and set-up an open source operating system in their environment. And I would say this is the moment I knew what I love to do. Share knowledge.

While there are so many top caliber InfoSec practitioners who are very good on their craft but cannot survive in a live audience. Are they just being selfish of sharing their knowledge with others? Do they have a stage fright? Or do they simply have a lack of soft skills or art for it?

Is public speaking skills or could it be a passion like art which we love to do every day; fishing, freediving, kite flying, meditation, baking, singing, painting, etcetera?


The Technique

Every passionate person that speaks publicly comes out every word from their mouth so naturally. You will never see them so tense and nervous. At least after a couple of times of doing it. In one out of 10 audiences, there will be someone who is better or experienced than you but remember they are there to learn something new or even share of what they knew. So don’t over think that which becomes your Waterloo (…wow that’s rhyming).

Mastery of the subject is the best that I can share. If you know your stuff, that’s all the audience care.


Experience is the Best Teacher

Gaining more knowledge and acquiring more experience makes one good speaker. You may not know all as “there are so many ways on how to call a chicken” the saying said. But your unique style is what distinct from the others is your bargaining power, your arsenal. Everything can be googled, but passion does not as it comes from the heart and not from the net.

So practice more often and actively participate in local talks as it will help you boost your soft skills confidence and eventually present in the international events.


Body Language

We do all have mannerisms; hand gestures, body movements, happy feet, statue posture, monologue syndrome, “pa-cute” effect, and even facial expressions. Be mindful of these as it becomes a bad habit and annoying to the audience.

Personally, I love walking around just like when I was still in the academe. I am not comfortable holding a microphone as I use them for expression. And I usually crack jokes to break the ice most especially after lunch or when the audiences are already bored with other speakers.

So be aware of this cause it either makes you awesome or gruesome in the stage.



The choice of words and the quality of your slide decks defines your presentation and what makes you as a good speaker depends on the lessons learned that marks to the audience. How you deliver your topic no matter how advanced it is if it did not make a positive impact on your spectators is meaningless.

The dialect you will use would depend on your audience and even place; technical, businessman, students, military, and others. But as much as possible, English would be the norms.

And to answer the question, is public speaking an art or skills? In my humble opinion, I would say it is both and may not be for all but it is worth trying. So I encourage every IT professional for your contributions as that what makes a man separate from the boys.

How about your thought on this 🙂?

22. Jun, 2018

An Incident Responder (IR) neither DFIR, CSIRT, nor CERT in an IT or OT; the mindset is always proactive and out-of-the-box thinking against both insider and advanced persistent threat (APT’s). Always assuming that the network has been breached and paranoid of the adversary’s tools, techniques, and procedures (TTP’s) from any attacks.

Critical reasoning, agility, and self-driven are a must. Does not rely alone on the arsenals in-placed but by knowing how cybercriminal thinks and move. A DFIR profession is not just an 8 hours’ job. Continuous learning and researching even after office work is required. On-call support is also a part of it and when an incident occurs, an IR must drop everything and must respond to the critical alert and join the team in the “war room”.

This may not be fair but it is what it is that makes an IR special. They are like the Marines, “the few and the proud”. If none of these characteristics are present in any member of the DFIR team, then probably not fit to become one.


Tools of the Titan

The framework is a vital recipe in an incident response program. This is the building block of the incident response’ playbooks that should be followed including the policies. From Detection and Analysis up to the Remediation and Documentation. The cheat sheet of any responder whatever arsenals they may have; SIEM, EDR, DLP, UBA, AV, NMS, FW, IDS/IPS, WAF, Anti-Phishing, and Forensic tools.

This framework should be adapted from the industry standards like NIST, NERC, and other known best practices tools because these are already proven effective methodologies for decades.

It is important to take note that every security tools must not base from scuttlebutt or just merely survey but according to every organization’s use cases. A big factor to weigh is the maturity of the security solution provider on a specific product. For example, one may have known as a Forensic acquisition and analysis tool but not as an Endpoint Detection and Response.

Creating use cases would be efficient if it’s based on both experience and research as it will cater both sides of the coin; from your organization and others as well. Sometimes it could be overkill but if the cost is not an issue then at least you picked the right tool. But if you missed some criteria then you will regret that security gap until the subscription expired and you failed to maximize your annual budget. And not only that, your reputation as the one who did the POC and recommending security analyst loses too.


Heart of a Hunter

While most of the IR’s hunts based only on the indicators of compromised (IOC) but less of the indicators of attack (IOA) which should also be considered in threat hunting. Most adversaries will not use common attacks with known IOC’s to defeat the detections and prevention but they will exploit OS’ tool like Powershell, Netcat, Nmap, and other double bladed programs.

These programs, when combined with Penetration Tester’s toolkits, are very effective as they are powerful in executing APT attacks. Below were publicly shared by Cybereason in one of their webinar, 2018.


Exploitation Frameworks

  • Metasploit
  • Cobalt Strike
  • Kali


Vulnerability Scanners

  • Nmap
  • ZAP


Credential Dumpers

  • WCE
  • Mimikatz


Powershell Frameworks

  • Powersploit
  • Empire

This what makes a DFIR role exciting. The enemy is within. Where adversaries just need one chance to break your “defense-in-depth” while an IR needs not less than 100% to protect their turf.

For threat hunting, an IR should be looking in a different angle of attacks:

  1. Persistence
  2. Data Exfiltration
  3. Lateral Movement
  4. Command & Control
  5. Privilege Escalation
  6. Command Execution

Visibility and control are very important for this. You cannot protect what you don’t know. And asset management has a vital role in protecting any organization. From this, you will also know which machine remains unpatched.


Skills of Possession

Continuous learning and R&D has already been mentioned in many of my articles and it will remain as is, whether on what operational field of IT you are in. While some take certifications in a specific field but in my case, I preferred continuing education like Master degree, Professional Graduate Diploma, or Doctorate courses as these do not have expiration dates which literally you can carry even you are 6 feet under.

Although both do not guarantee on becoming an effective DFIR unless taken and executed by heart, not just decorations to email signatures and to amuse headhunters or human resources who do not understand those badges at all.

Experience is still the best teacher and practice makes perfect I guess. And below are some skills a DFIR must possess in my honest opinion.

  1. Computer Forensics
  2. Mobile Forensics
  3. Binary Analysis
  4. Reverse Engineering
  5. Vulnerability Assessment
  6. Penetration Testing / Red Teaming
  7. Network Forensics
  8. Cryptography
  9. Basic Programming
  10. Cyber Threat Intelligence
  11. Computer HW/SW Troubleshooting
  12. Traits of a Leader

Having a background in Systems Administration like Windows or Unix is a plus factor. I would also add communication skills, both written and presentation as an IR will need these. How could one create a policy or playbook, an executive or even technical summary report if you have difficulties writing in layman’s term? This is mandatory.

Imagine that one fine day you may be facing the jury inside the court of law to defend an inculpatory evidence that you have written in your forensic analysis report and if you have no practice speaking in front of the audience then you might end-up shaking and peeing in your pants.

And realistically not all of these skills can be acquired by someone but at least two of them should be mastered, three is good, four is better, and all is best which makes you a one-man-team 😀!


Learning is Fun if Free

Registering in different CTF online or enrolling in free educational sites, or downloading a real “ghost in the wire” and dumping it to an isolated VM in non-company laptop, dissect (static), analyze their behaviors and run (dynamic) it to validate your analysis are good routines.

REMnux (Reverse Engineering Malware Linux) is a good Linux distro that you could start with or SIFT (SANS Investigative and Forensic Toolkit) too. If you are a Windows user, you may want to try FOSS debugger like Radare, Immunity or OllyDBG for reverse engineering. A licensed IDA Pro is an awesome tool for static Malware Analysis.

Same with the PCAP’s which is downloadable online, open them in tools like Wireshark or Network Miner. A raw memory or image dump files that can be run in Autopsy, RedLine, OSForensics, AD-FTK, Volatility, ProDiscover, and other tools of trades of your choice.

Crawling the 5th layer of the web for threat intelligence and also through automated OSINT tools to proactively gather information from different types of cyber-attacks and threat actors before it surfaces on the Internet.

I would say self-discipline is your best enemy here as you will be doing this in your non-working hours. If you are lazy to spend one hour of your free time in learning these stuff, then probably IR is not the type of role that fits with you.

However, not all FREE stuff are good. Sometimes you need to invest in training or formal schooling. Not all are being thought in the free sites as the trainers may have not acquired their knowledge for free too and that is fair enough so all of their investments will return as well. But I know what you’re thinking 😋. Well yes, you can do Google Dorks for that or Torrent or ask from friends which totally depends on your strategy to get resources.

Attending meetups and conferences are part of sharpening your IT security skills and knowledge either for free paid events.



There are so many ways on how to kill the chicken” as what I always say. I may have my personal opinion based from my experience and tools that I use in real cases which any DFIR/CSIRT/CERT’s have their preferred too.

This article aims to give a glimpse of DFIR’s life in a day to any spirants and also to the security operations managers (“not all though 😎 hehe”) so they would understand how tough the job that their subordinates are doing every day and not to micromanage but instead trust them and lead to mentor, empower, challenge, appreciate, value, involve, and always keep the team on a mission! These are people and not things that can be manage!

This article also reminds me to stick to the fight till the hardest hit and even things gets harder, I should not quit. (“Sounds like fraternity 🤪").

Humongous appreciation for the read and thanks for the long hours of flight that I was able composed this article while crossing the pacific ocean 😀.

21-gun salute to all Forensicators and Incident Responders… The "Blue Teamers"!

10. Jun, 2018


When I spoke in one of the local cybersecurity conferences in Panay last November of 2017 on "Evading Social Engineering Attack | Hacker's Frontier" specifically with Phishing, most of the approach is manual. But in this article, I would like to share something that is automated using an Open Source Intelligence (OSInt) in which every member of the family and the community are 99% safe.

And where did the 1% goes? Well, it is the common sense that human most often don't use when connected to the Internet that makes us vulnerable which adversaries just needed to try their luck and 90% works according to the Forbes' survey early last year of 2017.

Remember that Crackers (bad hackers) are like snipers who are very much patience aiming to shoot us and waiting for the one-time fortune cookie to compromise our network.


1st Defense
One of the longest publicly available tool I used when Virus Total and other sandboxing sites have not yet online; Netcraft was already there that you can verify if the website is bogus or has bad reputation through their risk scoring system.

I remember sharing this tool in a student convention in Clark, Pampanga (SSITE 2006) when I was invited by the PSITE Region III president just right after the government sent me to Taipei, Taiwan for two months studies with their E-Commerce (an APEC-ADOC Collaboration); same year when I graduated my master's degree in IT.

So, it means Netcraft was already an OSInt for a long time that most of the IT security does not know. And if they do, they merely rely on their company tools that are worth hundred thousands of dollars which does not work 100%.

Good for them if that works but not for their loved ones who do not have that tools installed on their devices. Much more if it's an IOT/IIOT.

Netcraft has an Anti-Phishing toolbar or add-ons for FireFox, Google Chrome, and Opera which installation guide can be found here:

2nd Defense
This arsenal blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a user clicks on a website link or types in an address into a web browser, the DNS server will check the site against IBM X-Force threat intelligence that includes 800+ terabytes of threat intelligence data including 40B+ analyzed web pages and images and 17 million spam and phishing attacks monitored daily.

Isn't it that awesome?!

This tool is called QUAD9. To learn more about it, get some popcorn and click this link:

For Apple Computer and Microsoft Computer users, the setup procedures can be followed here: Yes, you read it right. Setup not downloads and install. And it will take you less than a minute. Probably 10 min if you are not a tech savvy.

The way both works is they will automatically block Phishing sites that are known to their threat intel. Actually, Firefox and Google Chrome have this mechanism in place but having 3 arsenals would be much better than one or none.

There is no one-size-fits-all solution for every IT security problem. But the moment we believe that we are 100% secure from the tool we are using based from its price and popularity; then that is just the 1% I mentioned earlier that the adversary was waiting to hack you.

8. Jun, 2018

Ever heard your computer sounds about to take-off like Boeing 747 while browsing the Internet? Strange as it seems because you thought you have an anti-malware installed on your system. It is not because you are only using a pirate software (beware of illegal copies) but actually it's a Cryptojacking that utilizing your web browser while online.

What is Cryptojacking?
Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency through the use of a web browser which utilizes the JavaScript to mine for cryptocurrencies.

JavaScript runs on just about every website you visit, so the JavaScript code responsible for in-browser mining doesn’t need to be installed. Citation: Li, R. (2018). Hacker Bits. Retrieved from

In my opinion, this is a form of Malware (malicious software) exploiting the vulnerabilities of your web browser. Yes you are right, patching could be one of the solutions but wait there's more!

In the Incident Response, we call this as an IOC - indicators of compromised. These are known malicious IP address, domain names, or hashes (md5 or sha256 commonly)

So what are we going to do on these IOC's? Well basically, we just need to put them in a host file in our Windows computer using the elementary steps below.

1. Press the Windows key.
2. Type Notepad in the search field.
3. In the search results, right-click Notepad and select Run as administrator.
4. From Notepad, open the following file: c:\Windows\System32\Drivers\etc\hosts.
5. Make the necessary changes to the file. In this case, we need to enter the values on exhibit "ART" below.
6. Click File > Save to save your changes.

Exhibit ART


# Does not seem to work anymore, but keeping it here just in case it gets revived

# These were Obfuscated

After saving this to the hosts file, restart your computer if wishes to but optional as this will take effect in no time.

FAQ - Frequently Asked Question

FAQ - Frequently Asked Question
Q: How to know that it is taking effect?
A: try to visit one of the websites from the entry you just put in the hosts file and you should see a BLANK page. The website is not actually down but your browser is not going through.

Q: How would I know the site is up when the web page is showing blank?
A: The site is "Pingable". Refer to uncle google on how to ping an address and you are good to go.

Q: Can I use the same method for blocking Porn sites so my kids can't visit adult sites while I am away and they are using my computer?
A: Absolutely! You just need to know all the sites to put in the hosts file including your favorite one.

Q: Do we violate any regulations like GDPR, FedRamp, Data Privacy, etc?
A: No. Not even sexual harrasment or obstruction of justice.

Q: Where can I go if I still have other questions to ask?
A: 1st, click this link below then send me a message on LinkedIn or FB and I got you covered.

Open Source Intelligence (OSInt)


About the Author
Michael Rebultan, aka “Art” has more than 15 years of experience as an IT professional with a background in PCI-DSS audit, Unix/Linux server administration and lockdown, R&D, VAPT, and currently a DFIR in both IT and ICS/SCADA environment. He is holding a master degree in IT with major in E-Commerce security and with a professional graduate diploma in Digital Forensics and Cyber Security as continuing education. And has been a local speaker of FOSS Asia (Singapore), Null Singapore, PEHCON (Philippines), Linux Meet-Up Group (Singapore).

Specializing in Computer Forensics, Network Intrusion, Data Breach, Cybercrime Investigation, Volatile Memory, and Malware Analysis.

6. Jun, 2018

"Human is the weakest link in the cybersecurity chain". If you don't know about this "gossip" yet, well it's a fact.

When we heard about "Phishing", our normal response is to be careful about clicking URL links from the email content that redirect us to malicious websites on the Internet and yet we tend to forget about the risks in just an hour, or days. Often times, we thought that our Anti-virus would be able to protect us; a myth no matter how "next generation" they call themselves. That's what they are good at, marketing!

As an IT security practitioner, I have my duty to the community not only for cybersecurity awareness but also to empower every human who has devices connected to the public network.

I highly not recommend this procedure to upload sensitive/confidential files in public most especially in relation to your company. Contact your awesome IT security team and strictly follow your organization's policy.

In this 1st article related to Phishing, I will be sharing very basic technical steps that even an elementary schooler with basic computer background could understand and follow.

1. Analyzing Email Sender
Usually, we are only focused on the sender's name but not the sender's email address which "spoofing" happens most of the time. If you know the correct spelling of your company then it should be easy to spot the sender's domain address if legit or fishy.

If you want to confirm the domain is not bogus, you may simply copy & paste it to a public site that checks Phishing domain and malware -

An example is, which you can copy everything after the "@" sign and paste it to Virus Total under "Search" tab which website address is mentioned earlier and see the verdict.

2. Analyzing URL Link
Here there are 2 ways to know the link that you can copy then paste to Virus Total.

1st: Hover your mouse pointer on the link which is typical in the form of underlined with default color blue fonts or text. Mouse right-click then select the "Copy Hyperlink" and paste it to Virus Total.

2nd: If the URL link (e.g: is already been exposed, simply follow the same step as the first.

3. Analyzing Email Attachment
Whenever your fingers are too itchy to mouse double-click the attachment in the email, "smile". Yes, smile so you would remember this patching that I created merely for you.

What you can do here is to "Save As" the file in your favorite folder. Rename it if you wish. Go to Virus Total, upload it (Choose file) under the "File" tab and wait for the analysis.

What VT would do is, it will generate a file signature called "Hash" and check against their database of IOC's (indicator of compromise) from different 55+ Anti-Virus vendors. So if the file is confidential or personal, most likely the VT will have no result on this as it is not yet known malicious.

Aside from Virus Total, there are plenty of free online Anti-Virus and domain scanners to combat Phishing. Below are few to mention.


What is Next?
Watch-out for the next searies of this which is PATCHING HUMAN S2PDT 102 - "PHISHING DEFENSE WITH OSINT".

About the Author
Michael Rebultan, aka “Art” has more than 15 years of experience as an IT professional with a background in PCI-DSS audit, Unix/Linux server administration and lockdown, R&D, VAPT, and currently a DFIR in both IT and ICS/SCADA environment. He is holding a master degree in IT with major in E-Commerce security and with a professional graduate diploma in Digital Forensics and Cyber Security as continuing education. And has been a local speaker of FOSS Asia (Singapore), Null Singapore, PEHCON (Philippines), Linux Meet-Up Group (Singapore).

Specializing in Computer Forensics, Network Intrusion, Data Breach, Cybercrime Investigation, Volatile Memory, and Malware Analysis.