Det. Eng. Weekly #50 - 1%? 100%? What's the difference, really?
"My dog ate the other significant digits" - Okta, probably
Welcome to Issue #50 of Detection Engineering Weekly!
Quick programming note: I’ll be writing two more issues this month then taking time off until the new year.
This week’s recap:
💎 by Kevin Beaumont on CitrixBleed and how as an industry, we lose memory quickly on emerging vulnerabilities that do real harm
Megan Roddie on investigating Google Workspace with dot email addresses, Diego Perez helps reframe intelligence programs into actionability zones rather than threat matrices, Kyle Derevyanik with a massive post on 0 to hero for Kubernetes threat detection, Arjun Trivedi on detection opportunities for AitM attacks and Brendan Gregg gives us the scoop on eBPFs downfalls for security
Podcast episodes by DISCARDED with the MITRE ATT&CK crew, Vice’s CYBER shows how fast combatants disseminate war information and footage these days, Chris Thompson on DCP discussing Microsoft SCCM
CISA exposes IRGC, Rachael Sudbeck gives a great account on the MGM hack, Okta’s breach effected almost all customers, Curated Intel investigates the peculiar booking[.]com phishing pages, and ICANN fights back against the baddies
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
🌐 Newsletter Network:
My friend Clint Gibler’s (@clintgibler) newsletter, tl;drsec, just hit 30,000 subscribers! I’m super fortunate to have gotten to know Clint this past year, and we even met up at DEFCON to discuss life, security, newsletters and I made him take a lie detector test.
Click Here to check out his newsletter and feel free to tell him I sent ya!
💎 Detection Engineering Gem 💎
What it means — CitrixBleed ransomware group woes grow as over 60 credit unions, hospitals, financial services and more breached in US. by Kevin Beaumont
Kevin Beaumont does some amazing work in the security research and threat landscape space, especially regarding emerging vulnerabilities and ransomware groups. Anytime you see a high-profile ransomware infection or a vulnerability actors use to mass scan the internet for initial access, you can check out his Mastodon for coverage.
In this post, Beaumont gives a harrowing recollection of the events surrounding CitrixBleed. He follows several high-profile infections, notes their probable Citrix NetScaler entry point, and discusses the fallout. Beaumont does an excellent job of showing how vulnerabilities like this fall under the radar. Although it got news coverage, the security community tends to forget quickly as the subsequent vulnerabilities emerge.
He follows with advice on what to do next for the ransomware plague, and I have mixed feelings about his recommendations. Not because they aren't correct, but rather, we'd need to endure a lot of short-term pain and potential fiduciary duty failure to remove the scourge of ransomware.
🔬 State of the Art
Dots do matter: Why dots in Gmail addresses impact Google Workspace investigations by Megan Roddie
Have you ever done the "dot" trick in Gmail? It's helped me get around all kinds of free trials, or at least extended them indefinitely until I ran out of dots to put into my account. In this post, a friend of the newsletter, Megan, talks about how the intended functionality of Gmail parsing dots can muck up an investigation as you parse through Gmail logs. With lots of focus on M365 email attacks, I'm curious to see if anyone has triaged a BEC incident in Gmail that abused the confusing nature of how it handles dots.
The Uncertainty of Intelligence and the Entropy of Threats by Diego Perez
I love the framework posed by Perez in this post on the application of threat intelligence. Intelligence should be actionable - but what does that mean? There are several ways to bucket this information, and most CTI teams might recommend an impact vs. probability matrix. These matrices may be helpful, but they may be too technical for a business to understand, and you want your CTI to be actionable for the company.
Perez's proposal here uses the apt term of actionability zones as a potential alternative. What happened, what is happening, what could happen? This can help prioritization for the business and a detection backlog.
From Logs to Detection: Using Snowflake and Panther to Detect K8s Threats by Kyle Derevyanik
This is a great crash course on Kubernetes control plane threat detection. You'll need a Panther SIEM to see it in the platform, but Panther (and the Snowflake team working with the company) open-sourced the rules for others. It’s got a TON of examples for all kinds of threat scenarios and corresponding detection opportunities. You can plug this into an LLM or several rule converters to retrieve the query in your search language of choice.
Identifying Adversary-in-the-Middle (AiTM) Phishing Attacks through 3rd-Party Network Detection by Arjun Trivedi
Like the previous post using Snowflake/Panther, this Sentinel-based blog post goes over out-of-the-box (and open source!) rules to catch AiTM phishing attacks. AiTM is a tried-and-true phishing methodology that captures MFA codes by phishing the MFA page itself, and the operator on the other side either proxies the traffic to the service or enters it manually while logging in.
eBPF Observability Tools Are Not Security Tools by Brendan Gregg
eBPF has become more popular as a security monitoring tool in Linux. It was initially designed as an observability tool, meaning you can collect telemetry from a Linux-based host on performance-related metrics. The critical part here is "performance-related," meaning it's okay if things get dropped. Think of a speedometer - it's okay if it fails to record your speed occasionally. You, for the most part, know you are going a certain speed on the highway. This is the opposite of security - we need EVERYTHING!
Gregg is a pivotal contributor to BPF-based open-source tools and has a ton of experience publishing research on performance tools, observability, and, most recently, security.
🎙️ Detection Engineering Podcasts
Have you ever wondered how new MITRE ATT&CK tactics and techniques are born? It's no stork. It's a lot of talking, triaging, debating, and gathering feedback from several teams at MITRE. I like how the hosts dubbed techniques "T-Codes," and I may have to steal it from now on.
This detection-adjacent podcast episode is still fascinating as it delves into how (mis/dis)information from war and conflict gets manufactured, disseminated, and interpreted. It also delves a bit into the trust & safety discipline, which uses detection principles to protect platforms in non-cyber ways.
This episode of DCP shows how helpful a red teamer with a defensive mentality can move the needle when detecting new tradecraft. Thompson's research on Microsoft's SCCM technology, now called Microsoft Configuration Manager, is now part of... Microsoft Intune? It's a configuration management toolset similar to Puppet/Chef but has deep integrations with the Microsoft identity ecosystem.
☣️ Threat Landscape
I can't recall the last time I saw the U.S. Environmental Protection Agency issued a joint cyber statement, but here we are! According to CISA, EPA, NSA, and the INCD (Israel Cyber Directorate), IRGC-aligned actors began compromising water systems manufactured by Unitronics, an Israeli company. Since this is the fog of war, these actors don't care where the infrastructure exists and are scanning the internet for anything it can target.
What Everyone Got Wrong About the MGM Hack by Rachael Sudbeck
This is an excellent timeline of the MGM Hack by Sudbeck. They summarize the initial access methods, especially around identity, and try to show that the recommendations from Okta & Microsoft related to these tactics must be more preventative. There's a bit of marketing-speak here "Thus, if MGM had Kolide, the attack would have happened something like this," but it's not too bad. Good study on device trust other than Phone Numbers & SMS verification.
October Customer Support Security Incident - Update and Recommended Actions by David Bradbury
All right, there is more drama on the Okta front. The cheeky title I used for this week's issue pokes fun at Okta, but I can appreciate that the team is doing their due diligence here. The security team found additional reports that the threat actor(s) ran, including one that included all customers sans GovCloud environments. According to their latest earnings call, the company is spending the next quarter working on security features. Hopefully, the list downloaded by actors isn't passed around as a target list.
Curated Intel Threat Report: Multi Platforms Credit Card Information Harvesting Campaign by tas_kmanager
If you've seen the peculiar phishing-related news on Booking.com's website, check this blog out. It's more of a deep dive into the phishing kits used by the actors after the compromise, but this counts as a supply chain breach. Infostealer infects an agent working for booking.com, and the actor gains access to that agent's chat portal and they send phishing links out via the chat function.
ICANN launched the Registration Data Request Service, or RDRS, for investigators to ask ICANN for non-public information on domains. This is particularly helpful, and probably expensive, for private investigators, but hopefully law enforcement can use this type of data to help unearth some baddies behind anonymous whois services.
🔗 Open Source
priority-intelligence-requirements-dev by redhat-infosec
Priority Intelligence Requirements (PIRs) are a great way for threat intel teams to focus on collecting, analyzing and disseminating actionable intelligence for their organizations. The folks at RedHat created an interesting approach for teams to generate these requirements to help drive intelligence research.
Awesome-Azure-Pentest by Kyuu-Ji
Huge list of articles, talks, tools and other resources to help pentest Azure environments. I quite like the lab exercises, and this blog on building Active Directory in Azure has been on my project backlog for some time.
ADOKit by xforcered
Red team toolkit to attack Azure DevOps. There are dozens of modules to attack the service, and xforcered included detections in Sentinel and YARA. They released a whitepaper with the tool with over 100 pages of content!
elastic-container by peasead
Self-contained Elastic stack with their detection product. Great if you want to build a home logging lab with their detection ruleset.