In July 2024, the Security Operations Centre (SOC) of the Dutch Tax and Customs Administration identified a domain that appeared to be associated with a certificate belonging to the Dutch Tax and Customs Administration. After a quick analysis, we determined it wasn’t our infrastructure, but now we had to figure out what was causing the issue.
This talk discusses the Cyber Threat Intelligence (CTI) methods and frameworks employed during the investigation. Discussing the collaboration necessary, the technical analysis and the dissemination of the findings. Through this case, we discuss the lessons learned, mistakes made, and how we ultimately arrived at a preliminary conclusion, which started as a complete mystery.
