Det. Eng. Weekly #51 - 🪵 Oh, the logging requirements are frightful 😱
🎵 But the rules are so delightful 🎵
Welcome to Issue #51 of Detection Engineering Weekly!
Quick programming note: The last (and special edition) issue is going out next week, December 20th, and I’ll be taking the rest of the month off.
This week’s recap:
💎 by Ethan Bowen on the U.S. GAO report on how the executive branch agencies aren’t good at security logging, but shows that their requirements for logging shows a lack of expertise :3
Luke Jennings abuses Okta’s SWA “SSO” method, GreyNoise Labs on dynamic honeypots, Simone Kraus combines several state of the art detection engineering models from this year to profile Rhysida, Arch Cloud Labs studies thousands of Cobalt Strike configs, Josh Feehs gives us a peak inside how GitLab’s red team automates C2 via CI/CD pipelines
Podcasts by Risky Business with a great talk by Proofpoint on security automation, Dhruv Majumdar on Detection at Scale on how consultants help solve detection & response problems, Jack Rhysider releases his latest episode on hunting stalkers and the awfulness of Revenge Porn
Silent Push uncovers Scattered Spider infrastructure, BushidoToken reviews this years top 10 threats, MSTIC outs Star Blizzard, Sharmine Low uncoversa new Linux RAT, and FBI claims they can save us from the SEC
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
🤲 Giving back with Cybersecurity Cares 🤲:
This is an invite to the Cybersecurity Cares Holiday Telethon Extravaganza! On December 15th, will be live-streaming with a bunch of folks from around the cybersecurity industry to raise money to support a good cause. The event will be broadcast on LinkedIn and YouTube, and we would love for you to join us.
I'll be on stream at 1030 EST playing some games with other streamers, raising awareness, and hopefully getting some donations in for this year.
This year, the effort is raising money supporting Becky's Fund - a national non-profit organization dedicated to ending domestic violence. They chose this charity for their 2023 initiative because, as defenders, we feel that everybody should feel safe in their home.
You can learn more, make a donation, and get involved at cybersecurity-cares.com
💎 Detection Engineering Gem 💎
M-21–31: Ye Shall Log, No Matter the Log by Ethan Bowen
Have you ever worked for a company where a new policy was pushed down, and you received guidance on performing X, Y, or Z tasks? Not just security or tech-related, but policies related to vacation, harassment, medical leave, or how to use email? For the most part, those policies are clear on what you must do to adhere to them and what breaks the policy. OK, now imagine getting one of those policies, but it's written in limericks, and you have to solve riddles like you are in Alice in Wonderland.
That's how I felt when I read the White House's policy document, M-12-31, on proper logging procedures for the executive branch. Luckily, Bowen has the scoop on how this policy document was constructed, and Bowen compares it to the U.S. Government Accountability Office's memo on how we are doing.
Hint: not so good.
But, it's not surprising, given that our federal workers weren't evaluated on their knowledge of complex logging strategies, riddles, and limerick prose during their interview process. Some numbers Bowen runs on these requirements are insane, and modern firms probably wouldn't be able to adhere to this document.
🔬 State of the Art
Abusing Okta's SWA authentication method by Luke Jennings
In this post, Jennings from Push Security studies the difference between different SSO implementations of Okta, with a particular focus on Secure Web Authentication, or SWA. The problem with federated login is that there are industry-standard protocols and procedures to implement methods like OIDC or SAML. Still, you can give the illusion of "single sign-on" by storing plaintext credentials in Okta via their browser extensions to act like a password manager.
According to Jennings, OIDC and SAML still have their own threat models. If I were a CSO, I'd opt for these flows instead of a password-manager style experience where my employees need to remember yet another password and then use it throughout my ecosystem.
This short but sweet blog post by h0wdy on GreyNoise Labs shows how dynamic honeypots can help provide early warning for researchers studying emerging vulnerabilities and N-day payloads. The basic premise behind N-day vulnerability research is to reverse engineer a patch, develop a PoC, and then write signatures. Well, Ivan from Eastern Europe has more time than you and probably has access to all kinds of fun communities that do this. So why not catch the payload early in a smart honeypot, grab the PoC, and then write a tag? Cool tech from the GreyNoise folks is being showcased here!
Rhysida Ransomware and the Detection Opportunities by Simone Kraus
I think Kraus is a rare researcher and detection engineer who does a fantastic job of combining cyber threat intelligence with threat detection to create a comprehensive strategy for detection opportunities. In this beefy post on studying Rhysida Ransomware group's TTPs, Kraus combs through several CTI reports on the group overlays the TTPs between the group's evolution between victim sets and even different names and shows how you can create an ontology of tactics of a ransomware gang. Kraus combines Splunk's PEAK framework, MITRE Engenuity's Summiting the Pyramid, and ATT&CK for a master class on detection engineering. Fantastic work, Simone!
Bulk Analysis of Cobalt Strike's Beacon Configurations by Arch Cloud Labs
A friend of Detection Engineering Weekly and hot sauce mad scientist Arch Cloud Labs used this post to comprehensively study tens of thousands of Cobalt Strike Beacon configurations. Cobalt Strike is a commercial C2 framework that several threat actors cracked and distributed to all kinds of baddies and has been the post-compromise persistence mechanism for hundreds of breaches. Bulk analysis of malware configuration is a super exciting topic for detection opportunities, and several findings in this blog show that actors are lazy and tend to stick to defaults but also VERY creative if you sort by least used.
How GitLab's Red Team automates C2 testing by Josh Feehs
You heard of elf-on-the-shelf detection-as-code? Well, now there's red-team-testing-as-code! The GitLab Red team wrote several pytest wrappers around popular open-source C2 frameworks. I am a massive fan of pytest for CI/CD operations, and in this post, the GitLab folks implemented clever ways to download, execute, and wait for callbacks, all in a self-contained GitLab CI/CD pipeline.
🎙️ Detection Engineering Podcasts
I <3 Risky Business, and I've been paying more and more attention to their sponsored interviews at the end of episodes. I usually roll my eyes at these interviews, but the hosts do a great job of asking hard questions and challenging guests as they describe their solutions. In this episode, Patrick interviews an EVP from Proofpoint about what their firm is doing with response automation.
I find Big 4 consulting firms like Deloitte fascinating. They get to see all kinds of clients, big and small, in all sorts of states, from complete disarray of a security program, to something super optimized. Majumdar runs a part of their consulting practice that helps scale out customer detection & response programs, so it was nice to see how he approaches talking to clients with different needs.
Trigger warning: this has a lot of sexually explicit themes. This episode of Darknet Diaries follows a case of twin sisters being harassed and stalked with Revenge Porn. It's a terrible part of the Internet, and I hope we can get more eyes and ears on this issue since state and federal law is slowly catching up to this harassment style.
☣️ Threat Landscape
Eight-legged Phreaks: Silent Push DNS and content scans discover new Scattered Spider phishing infrastructure. by Silent Push Security
I've been using the Community Version of Silent Push's platform, and they have some really clever ways to search and filter through lots of Internet scan data for threat actor infrastructure. In this post, the team showcases how looking at phishing pages related to Scattered Spider clusters can help reveal other parts of their infrastructure. Their section on how the actors re-use old infrastructure was interesting, and tried-and-true analysis methods, such as pivoting on keywords in a domain, effectively catch these phishing sites in the wild.
Top 10 Cyber Threats of 2023 by Will Thomas (BushidoToken)
If you want a trip down memory lane and unearth campaign trauma or feel really old even though things like Anonymous Sudan and 3CX happened THIS YEAR, this is the blog post for you. A friend of the newsletter, Will Thomas, highlights the big campaigns, data breaches, and threats from this year, showing how much we have to deal with in this industry and profession.
Star Blizzard increases sophistication and evasion in ongoing attacks by Microsoft Threat Intelligence
Star Blizzard is a Russian government-aligned actor that heavily uses phishing infrastructure to gain initial access to victims. When I read this, I had a chuckle because the actor uses several anti-analysis and anti-scanning techniques that commodity phishing actors have used for years. From what I can tell, the "antibot" capability, an API server that gives a true/false on whether someone is a legit victim, is hosted on the server itself and not some external C2.
Curse of the Krasue: New Linux Remote Access Trojan targets Thailand by Sharmine Low
It's nice to see some Linux malware being exposed that does not result in cryptomining! Group-IB is unsure of the initial access vector of this malware, but the cool part is the use of RTSP for C2 communications. The malware also installs a rootkit that pulls many code similarities from open-source LKMs like Suterusu, Diamorphine, and Rooty.
FBI explains how companies can delay SEC cyber incident disclosures by Jonathan Greig and Martin Matishak
Lots of policy-wonk material in this week's issue of Detection Engineering Weekly, but this was a peculiar and helpful development to the SEC's 4-day disclosure requirement for cyber incidents. Greig and Matishak at The Record scoured a recently released FBI doc saying that public companies do not necessarily have to disclose public safety or national security incidents. The Attorney General can give a stamp of approval, but only if you send enough information over.. email?
🔗 Open Source
automation-capability-matrix by tuckner
I’m a big fan of capability matrices, and this one is even cooler because it’s a self-hosted web-app. It focuses primarily on SOC and SOAR automation, and I think can fold nicely into a response maturity framework. The best part? DARK MODE!
reaper by ghostsecurity
Reaper is a modern attack proxy tool equivalent to Burp/ZAP. It’s nice to see open-source alternatives to these types of web-app testing tools. It might be worth checking this out if you don’t want to cough up the ~$500 USD for the yearly Burp license.
StratosphereLinuxIPS by stratosphereips
It’s been a while since I’ve seen “IPS” used in the wild, but here we are! Stratosphere is a Python-based IPS looking at network traffic in Linux. It uses several heuristics for detections, including pre-shipped machine learning models.
PoolParty by SafeBreach-Labs
PoolParty is a collection of currently undetectable process injection techniques using Windows Thread Pools. This is an open-source release as a result of a BlackHat EU talk. I definitely want to check this talk out once the YouTube videos get released.