Det. Eng. Weekly #57 - Mitigation through ejection
Remediation through eradication, securing through expulsion
Welcome to Issue #57 of Detection Engineering Weekly!
It’s been a snowy January and February here in New England. Pasha (The DEW dog, if you haven’t seen the German Shepherd inside the ‘D’ in my logo), has enjoyed our frisbee outings in the snow.
Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!
This week’s recap:
💎 by Justin Ibarra on his 22 aphorisms on writing detection rules while keeping your sanity
Lots of Azure content this week! Ryan Hausknecht on detecting Azure managed identity abuse, Jeffrey Appel emulates the Midnight Blizzard OAuth compromise chain and offers detection opportunities, Robin Dimyanoglu launches the ADAPT framework for answering an age-old question “Is this an APT?”, Greg Ake goes fishin’ with a post on defining detection engineering, Vit Bukac part 1 series on writing _good_ detection rules that make an analyst happy :)
Podcasts by Risky Biz folks interviewing an Australian Cyber Politician, Tim Watts, and Detection at Scale interviews Sony’s SOC Director Charles Anderson about their truly scaled detection engineering program
Datadog (and ya boi Zack) publish a post on a peculiar TeamTNT campaign, Cloudflare comes out swingin’ with a super technical post-mortem following their November hack, Invictus IR with another banger of a blog post on an AWS incident with techniques they haven’t seen before, SpyCloud follows a Traffer team, and CISA orders agencies to throw Ivanti devices in the trash (well really just disconnect them)
plus so much more!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The Zen of Security Rules by Justin Ibarra
Guiding principles, tenants, mission statements.. they all help serve one purpose: to remind you when you need a reminder. Now, I’m not saying you should plaster Art of War quotes around your office or even liken the Art of War to cyber. Still, taking inspiration and reminding yourself when you go astray is nice.
In this post, Ibarra draws inspiration from “The Zen of Python” and applies it to security rules. We all know how nuanced our field can get and how you can get lost in the problem. Still, whenever you have questions about writing a rule, building a set of rules, or creating a program, you might want to remind yourself first of these 19 principles.
Detect behaviors over IOCs, except when necessary
If you can detect it, you can test it
less is more; don’t write rules for the sake of writing rules
🔬 State of the Art
(An Attempt at) Detecting Managed Identity Abuse by Ryan Hausknecht
Given the several blogs and disclosures about Microsoft security, especially regarding Identity & OAuth shenanigans, this post was great to dive deep into managed identities. Hasuknecht quickly reviews the difference between system-assigned and user-assigned identities, then jumps right into detection opportunities across persistence and token abuse.
If identity is the new perimeter, what does that make OAuth apps? It’s been a dramatic two to three weeks of Microsoft news, especially in response to their Midnight Blizzard breach, but I love the community response, like this blog. Midnight Blizzard found a clever way to abuse an overly permissive OAuth application from a test tenant to pivot into the tech giant and breach several of their systems.
ADAPT Framework for Modelling Adversary Behaviour by Robin Dimyanoglu
In this post, Dimyanoglu features a framework called “ADAPT” to determine whether or not a cluster of threats should be deemed “worthy” of an APT designation. The industry loves this term, and I think they do an excellent job of demystifying some of the decision-making that goes into classifying one. I am a fan of the “Adaptive” category, where you can measure an adversary’s ability to modify their tactics, techniques, and procedures and see if they are opportunistic or tailored.
What is Detection Engineering? by Greg Ake
I love a good analogy, and in this blog, Ake compares Detection Engineering to fishing for invasive species. They paint a picture of “net makers” becoming industrialized, and lots of these “nets” to catch invasive species don’t really do what the original, hand-crafted, artisanal net makers used to do. I think it’s a great post on introducing folks to the field and balances going into too much detail or being too high-level.
Writing Practical Splunk Detection Rules — Part 1 by Vit Bukac
Part 1 of 2 series on writing practical Splunk detection rules, which goes from detection ideation to implementation. I love Bukac's approach here: as a community, we typically focus on identifying malicious behaviors and sharing that data. However, what you do with that identification afterward isn't as clear-cut. I thought Bukac framed the role of detection engineers as customer-focused, for example:
“..how [to make].. the resulting alerts pleasing for SOC
Making pleasing alerts should be inscribed in stone/tattooed on some of us who like that stuff :).
🎙️ Detection Engineering Podcasts
In this episode, the Risky Biz crew interviews Tim Watts about his recent work in indicting the Medibank hacker. I've been thinking about attribution and "imposing cost" lately. IMHO, finding bad guys in your network isn't enough sometimes. Most people in threat detection would love to see their impact extend beyond using the capabilities like Tim Watts' office uses to stop folks from using more than just firewall rules.
Great episode interviewing the Charles Anderson, SOC Director @ Sony. They talk several topics that are relevant to those operating a large detection program (such as scoping content based on business units or geo locations), and then all the way down to small orgs that want to use up-and-coming features like risk-based-alerting to stop badness.
☣️ Threat Landscape
An analysis of a TeamTNT doppelgänger | Datadog Security Labs by Frederic Baguelin, Andy Giron, Zack Allen (ME!), and Christophe Tafani-Dereeper
Note, if it’s not obvious, I work at Datadog, this is my team, and I helped with this investigation and helped write this blog.
My team picked up a unique Docker-based intrusion on one of our honeypots and did a deep dive into it. The actor threw a kitchen sink's worth of persistence mechanisms at the machine but forgot to throw that level of effort into securing their own C2 box. We gleaned some intel from it and highlighted it in the blog.
Thanksgiving 2023 security incident by Matthew Prince, john Graham-Cumming and Grant Bourzikas
Microsoft is old news; let's get back to Okta! The Okta breach several months ago compromised several of their customers, including Cloudflare. The team released their security post-mortem, and I'm impressed by the diligence and timeline.
There are several detection opportunities, and it shows that motivated actors are starting to attack knowledge bases and ticketing systems to glean additional intelligence for further pivoting.
The curious case of DangerDev@protonmail.me by Invictus Incident Response
AWS incidents typically involve the same playbook. Gain access via Valid Accounts, create a few users, and spin up a few extra accounts for persistence, then do some crypto mining or exfiltrate data. Did this happen in this incident?
Yes, BUT, there's some tradecraft in here I have not seen publicly disclosed before. Specifically, an actor using their own AWS Account to AssumeRole into a victim account (as another persistence mechanism), as well as using "SimulatePrincipalPolicy" to enumerate permissions, rather than relying on several (sometimes hundred) failed API calls to see what you can and cannot do.
New Malware Research: Successful Traffer Team by SpyCloud Labs Research Teams
Do you know what a Traffer is? I thought it was a misspelling, but it's a legit organized crime setup that directs legitimate traffic to malicious sites (think Ads traffic). I love research reports highlighting criminal communication and organizational capacity, so if you want to see how criminals pull off an operation, check out this post. I've posted several landscape links about the various stealer families inside, so it's cool to see how the ecosystem works!
What typically comes to mind when you think of the word "mitigate" in a cybersecurity context? Patch a vulnerability, update passwords, reboot, or disconnect and throw it in the trash? Most of the time, I'd like to disconnect and trash, but there is no way you'd direct someone to do that right?
Well, think again: CISA required federal agencies under their jurisdiction to do that by February 2 before midnight. Imagine being the PR or marketing person for Ivanti right now: "The US federal government just trashed all of our devices!" Crazy times we live in..
🔗 Open Source
Metrics by gertjanbruggink
‘Meten is weten’. I am going to try to memorize this phrase listed in the README. This is a fantastic resource for reporting metrics related to CTI, mapped to strategic, operational, and tactical metrics. CTI can be a powerful tool for a detection program, so understanding how to build a successful CTI function can help us request intel to build or update rules.
oss-fuzz-gen by google
Interesting application of LLMs to generate fuzz targets. It sends a prompt to an LLM, which is the API/function to target, and the LLM returns potential targets.
eml_analyzer by ninoseki
1-click deploy EML analyzer project. Ninoseki has been updating this recently (has it seriously been 4 years since it’s initial release?!) and I’ve learned a lot about EML forensics and investigation using this project.
deluder by Warxim
Frida-based Python toolkit to intercept network traffic on “proxy unaware applications.” This tool should be useful in several contexts in malware analysis and detection engineering.
Detection Engineering Weekly is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.