Welcome to Issue #113 of Detection Engineering Weekly!

📣 New Detection Engineering focused conference: Datadog Detect

Holy crap. Within less than a day of me posting this announcement on last week’s issue, we got over 300 signups. And I’m so happy to see SO MANY detection engineers, incident responders, security researchers and security engineers. I promise y’all are gonna love these talks.

For those that didn’t read last week: I’m co-launching a detection engineering flavored mini-conference, that’ll hopefully turn into something better, with Datadog Security Research. I’ll be kicking off with opening remarks and we are going to dive into 4 technical talks on detection engineering.

It’s on May 29 at 12PM ET. Come check it out!

Click here to register 👉 http://bit.ly/datadog-detect

~ Note ~ This is my employer, and with this current iteration, we do require a form sign up. Feel free to sign up / unsub, but you might have to wait until after the con.

⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:

Det. Eng. Weekly #112 - ]ffcvbhvvji90

Zack 'techy' Allen

·

May 7

Read full story

Det. Eng. Weekly #111 - I'll take 1 trade show with a side of cyber vandalism

Zack 'techy' Allen

·

Apr 30

Read full story

💎 Detection Engineering Gem 💎

Detection-In-Depth by Day Johnson (THOR Collective Dispatch Newsletter)

I love Day's concept of applying defense-in-depth principles to threat detection. I will continue dunking on the adage that "Defenders need to be right all the time, attackers only need to be right once!! 1" Through a layered approach of risk-based alerting, volumetric alerting of many lower severity signals, and creating resilient detections, defenders can be wrong a lot and still find the badness.

But rules aren't just enough. Day has an excellent section titled "Addressing Blind Spots & Improving Visibility", which reads like the constant obsession with log sources and gap identification. This is where other functions, such as threat hunting, really shine. You can approach this from the left and right of your SIEM. The left part is trying to inject your detection team into the logging infrastructure to identify new sources. The right part is threat hunting.

Several other sections address the "detection-in-depth" approach here. They could be perfect additions to the Detection Engineering Maturity Matrix.

Here's my favorite, pithy quote:

What truly catches adversaries is consistent accuracy developed through continuous refinement, iteration, and tuning, not chasing after a perfect rule.

Also, Day, you owe me a workout session and/or some sparring next time we see each other.

🔬 State of the Art

Why Prompts Are the New IOCs You Didn’t See Coming! by Thomas Roccia

As Costin Raiu says every time he reads a threat report with 0 actionable intel: "Where are the IOCs?!"

There's nothing worse than a threat report with nothing actionable. I define actionability here as any information that helps readers understand tactics, techniques, and procedures or contains information about the intrusion within the Pyramid of Pain. The more IOCs and TTPs per report, the better we can defend our networks.

Roccia explores this concept even further with LLM attacks. He pulls apart the latest Anthropic report detailing malicious use of their Claude LLM. It was a cool report, but it missed the fundamental value for defenders: IOCs! The core of Roccia's critique is that Prompts are the IOCs. He linked a YARA-like malicious prompt framework, NOVA, and provided several examples of malicious prompts. I linked NOVA below under Open Source.

How to Improve Performance of Your Database? by Sid (The Scalable Thread Newsletter)

This is a great crash course for those who want a much broader understanding of database operations and how to scale them. This is super relevant when you think about running a database for your SIEM. You could pay for these problems to go away with a hosted solution, but sometimes that doesn't work.

Sid details seven different database optimization strategies. The pictures within each section serve as an excellent visual representation of the optimization strategy, and he provides real-world examples of when you would use it. Every database optimization strategy he lists has a trade-off, such as cost, complexity, or staleness.

If y'all want the most out of this blog, I would read each scenario and try to come up with a real-world security scenario in which you'd use the strategy or not. The stale data scenario across a few of these can be detrimental to an investigation, and I have been on incidents in the past where this was the case.

The ATLAS Matrix by MITRE

I've been getting into attacks against LLMs recently, and there's a lot of preliminary research into how attackers progress through abusing an LLM model. I struggled with understanding what constitutes an attack against the model itself, such as some of the scenarios Roccia wrote in his blog above, and attacks against the underlying workload or application.

I think ATLAS accurately captures this, but the effectiveness of these attacks isn't as apparent to me as pure MITRE. For example, "Spamming the AI Model with Chaff Data" seems theoretical and made up. It's the same aura as "Run SQLmap against an API endpoint" with chaff thrown in.

SOC Assessment Tool by SOC Assessment

This neat and free tool can help you map out the maturity of your SOC efforts. It runs like a maturity matrix, and by the end, it outputs a report and some scores to help you understand your gaps. It splits questions and maturity across Foundational Practices, Detection, Incident Response, Threat Intelligence, and Security Monitoring. I don't know exactly where they pull these categories from, research-wise, but it's a good breadth-first approach to SOC maturity.

🎙️ Detection Engineering Media

This short-but-sweet keynote by JAGs from the Three Buddy Problem and is worth a listen. As I interpreted it, the general theme revolves around the devolution of cyber threat intelligence from a decade ago to where it is now.

I did not interpret this as an "old man yells at cloud" moment; rather, the capture of this field from firms who built threat intelligence as a moat has hampered defenders since the premium intel now costs a hefty fee. This is painted in the national security lens, particularly around conflicts and war, such as Ukraine-Russia and Israel-Palestine, which are super relevant right now, obviously!

☣️ Threat Landscape

RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale by Matt Muir and Frederic Baguelin

~ Note, I work at Datadog and Matt/Fred are my colleagues! ~

The Datadog Threat Research team uncovered a new strain of malware, RedisRaider, that targets open Redis servers on the Internet and uses insecure default configurations to gain access to their underlying host. It uses a clever technique to avoid detection: first, it sets a Redis key with a 2-minute TTL and attempts to write the value of the key, a malicious cronjob, out to the host. After 2 minutes, the key expires, which deletes the corresponding value.

How we identified a North Korean hacker who tried to get a job at Kraken by Kraken

North Korean IT Workers have been on a tear lately, and lots of companies are becoming more public about how they deal with them. In this post by the crypto company Kraken, they disclose how they caught a fake applicant during the interview process. Once they suspected the applicant, they continued to move them through the interview process until the applicant had an interview with their CISO. It sounds like Kraken made the applicant sweat by the end.

I like the guidance and TTP sections a lot because they aren't just about a quick P/R win; they also publicly show how others can combat this problem.

Windows Logon Scenarios by Microsoft

Have I really stooped low enough to post official Microsoft documentation? Yes. Is it because it's wicked funny and ridiculous how they can give a ton of information in one blog, but separately release thousands of undocumented APIs? Also, yes. If you want to learn how Windows Logon works, check out the four types: interactive, network, biometric, and smart card. My favorite part is this weird scenario where cached local copies of passwords STILL work AFTER you roll out an identity provider via network logon.

Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations by Saeed Abbasi

The big news from last week in the criminal underground was the leak of LockBit's panel. The leak contains a MySQL database with all kinds of goodies for threat researchers to comb through. Leaks like this are useful for several reasons. One, they give researchers insight into how major criminal operations organize their enterprise. Two, you can get a ton of technical indicators for retrohunts and victim identification. Third, exposed TTPs can help defenders introduce technical controls to mitigate infections.

Luckily, Abbasi and Qualys' Threat Research Unit documents all three cases, and it goes to show how important analyses like this are to uplevel the security industry as a whole.

Insights from Internal DPRK Chat Logs by Chollima Group

Speaking of the LockBit leaks listed in the story above, the Chollima Group downloaded suspected DPRK chat logs from an open Google Drive in March. Within those logs were emails sent between suspected DPRK IT Workers. It paints a somewhat sad picture; you can tell they are figuring things out regarding persona management, and regularly attempt to deconflict over personas.

The other part of this sad picture is the emails in which IT Workers are looking for family members and friends and asking the group if anyone has had contact with them.

🔗 Open Source

nova-framework by fr0gger

Thomas Roccia linked NOVA in his article, which is linked above in State of the Art, but it's too good not to include it here. NOVA is a YARA-like rule language for detecting malicious prompts from your LLM models.

LockBit-Wallet-Tracker by elliott-diy

This repo contains all the LockBit panel leak wallets linked above under Threat Landscape. The 62,000 addresses are being analyzed, and only 28 of the wallets have been funded so far.

picklescan by mmaitre314

Picklescan is a tool that combats malicious Pickle files via various rules before the object is deserialized and loaded into an environment. Pickle files are objects in Python commonly used in AI and Machine Learning applications. It's a serialized object with metadata and weights written out in the filesystem. When loaded, it serializes the Python object, and it does its thing. If you can backdoor one of these pickle files, you can insert arbitrary code and then Bob's your Uncle.

PowerDodder by itaymigdal

This is a neat Windows post-exploitation tool that "lives off the Land" by backdooring legitimate scripts on a host. Once you put PowerDodder on a victim, it'll hunt for target scripts, append the malicious line, and then timestamp the file to prevent some forensics analysis.

defendnot by es3n1n

An even funnier way to disable windows defender. (through WSC api)

Who doesn’t like funny things?