Det. Eng. Weekly #62 - Say the words, Bart Simpson, CISSP, MBA!
*sighs* Security businesses exist only to maximize shareholder value *cue laugh track*
Welcome to Issue #62 of Detection Engineering Weekly!
Programming Note:
🇫🇷 I will be visiting the Datadog Paris office next week, and to stay focused, I’ll be skipping a week of the newsletter. So, no newsletter issue for March 20!
This week’s recap:
💎 by Jackson T challenges our brain signaling and need for self-preservation when it comes to security tooling, red teaming and security products. Honestly, one of my favorite reads of this year so far.
Harrison Pomeroy goes deep on detection maturity frameworks and provides an interesting dive into detection technology and strategy maturity, neonprimetime brings us through a story where a detection engineer defies adversity and it kind of reads like a journal entry? Jason Killam and Tess Mishoe from Red Canary explore File telemetry and all the wonderful detections they can bring us, Andi Ahmeti from Permiso launches CloudGrappler and simplifies detection on control plane logs in AWS & Azure
Podcasts by Mark Galeotti on Russian criminal organizations and the folks at DISCARDED give listeners a deeper understanding of network threat detection
CISA gets pwned, Microsoft is still pwned, Jacob Baines improves PoCs for a Confluence RCE (but provides detection opportunities, so we’re cool with them), the Hunt.io team discovers a DPRK Kimsuky actor’s open directory of malware and intel, and Stefano Chierici reminds me why crypto was a mistake with an interesting Web3 botnet
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Are We Helping? by Jackson T
This sobering blog challenges the core beliefs of security operations, red teaming, and the security market. I appreciate how they start by discussing the perverse incentives behind security research, especially red-teaming, which skew any real semblance of a motivated adversary. Jackson lays out how positive externalities, that is, rewards tend to bring more rewards, are damaging to defense in firms and national security because we tend to focus on maximizing capital via our personal career and the lifetime of firms, and adversaries tend to exploit this phenomenon.
They then blow this up into the security market and vendors as a whole, which I am a cog in since I work for a product company. I'm unsure if the author is indirectly quoting or citing The Friedman doctrine. Still, the sole purpose of business is to maximize shareholder value, and this has been the underpinning of business since 1970. This was also one of the first things I learned in business school and how it really skews reality in terms of social responsibility.
There are so many memorable quotes in this piece. I read this part several times:
Will your choices maximize capital in a way that unwittingly furthers the interests of adversaries that undermine national security? Or will your choices help further the viability and cohesion of free and open societies—even when it’s the harder thing to do?
What is your north star?
🔬 State of the Art
Assessing a Detection Engineering Program for Maturity by Harrison Pomeroy
In this post, Pomeroy explores a deeper integration of Haider Dost's Threat Detection Maturity Framework and Kyle Bailey's Detection Engineering Maturity Matrix with a prescriptive way to evaluate detection program maturity. They outline maturity within the three core buckets of any maturity model: ad hoc, organized, and optimized, but split the program out into technology and strategy. Pomeroy takes some of the X axis from Dost's and Bailey's frameworks, such as Processes, and then splits it further into subsections.
For example, under processes, what does it mean to have "detection management?" Writing detections in a standardized way, monitoring their health, creating a lifecycle, or.. all of this? You can tell they spent the time mapping out everything, and luckily for us, they provided an Excel sheet to help add/remove/change whatever you need. The most interesting tidbit at the end is that Pomeroy recommends surveying your organization and getting their take on the maturity of each one of these components.
Detection Engineering stages of maturity: A Story by neonprimetime
The above story by Pomeroy in this issue talks about detection maturity from a prescriptive point of view, neonprimetime's blog on the subject talks about it from a descriptive, chaotic and storytelling point of view. I got the impression that neonprimetime lived the life of an overworked detection engineer. I kept a small journal of musings on "in the life of.." topics for our field and then translated it to this blog. Give it a read and see if you can map some of the issues listed here to the gem above!
Better know a data source: Files by Jason Killam and Tess Mishoe
This blog helps answer a tremendous technical interview question: "What data sources can provide insights on file changes?" The answer can probably go as deep as the O.G. "What happens when you type Google.com in a searchbar?" So, The Red Canary team explores file-base detections, starting from MITRE's data sources page on Files. They give an example of how techniques from real threats, like Yellow Cockatoo can be captured and detected.
Introducing CloudGrappler: A powerful Open-Source Threat Detection tool for Cloud Environments by Andi Ahmeti
The good folks at Permiso just opened and sourced a robust cloud audit log investigation and forensic tool with a hilarious banner at the top of the launch blog. This is the first open-source tool I've studied that takes an opinionated view on querying control plane logs on AWS & Azure to detect threats. Lots of threat detection tools & blogs focus on setting up log integrations, turning a big log collector on, and then running a separate tool to query for badness.
If you want something fast, whether it's during an incident or you are experimenting, this is a great tool to get started in cloud threat detection.
🎙️ Detection Engineering Podcasts
This is detection adjacent, but you should listen to this podcast if you ever wonder how criminal organizations like ransomware crews in Russia operate. It's no surprise that criminal activity is connected to the Kremlin and that the Russian government leverages these connections to impose national objectives. I couldn't help but compare and contrast Galeotti's description of Russian crime with Ransomware operations.
This is a super fun listen by Proofpoint's DISCARDED crew on infostealer research. Much like crypto coins, infostealers tend to pop up out of nowhere, and many times, they are direct clones of other popular stealers. It's also a great episode if you want to peek into the world of network-based detection engineering.
☣️ Threat Landscape
CISA forced to take two systems offline last month after Ivanti compromise by Jonathan Greig and Suzanne Smalley
CISA disclosed a breach to several news agencies, and it all stems from our favorite product suite of all time here at Detection Engineering Weekly: Ivanti Appliances. The agency said it found compromises in two Ivanti devices, which were immediately removed, and that the incident was basically contained. It's good to see CISA eating its own dogfood, especially after issuing a directive in January to patch these devices immediately.
Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard by MSRC
The good folks at Microsoft's MSRC found additional data in their previously disclosed Midnight Blizzard breach. According to the organization, the actors found secrets inside e-mails and are actively using those secrets to try to attack environments that hold them. I wonder if they are an E5 customer and can use Microsoft DKM?
Does Confluence Dream of Shells? by Jacob Baines
This post is a deep dive into Confluence's CVE-2023-22527 vulnerability released in January of this year. Baines reviews several exploit PoCs in well-known repositories and has seen them in the wild, bringing the exploit code further. Baines shows that most of these exploit primitives use a class that executes a shell command on a target OS, and one cheeky one that runs in memory to avoid detection.
He goes even further and installs a module in Confluence that runs one web request and acts like a web shell that doesn't touch the disk like a normal web shell. Luckily, he published detection opportunities at the bottom!
Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials by Hunt.io
Hunt.io unearthed a probable North Korean infrastructure and tracked an ongoing campaign targeting cryptocurrency users and hosting phishing sites related to well-known platforms. It served several pieces of malware, hosted the phishing site, and contained chat logs and some other juicy data. The cool part here is how the team picked apart the .htaccess file to reveal all kinds of information on the attacker infra setup.
Cloud Threats deploying Crypto CDN by Stefano Chierici
Where there is crypto, there is crime. The threat research team at Sysdig found a campaign while monitoring their honeypot infrastructure that targeted a Web3 “CDN”. As a former Fastylan, even putting “Web3” and “CDN” next to each other makes me cringe. The cool part here is that it shows how Cloud environments present opportunities for attackers to launch infrastructure that you wouldn’t normally run, and they can do a lot more things than just mine crypto.
🔗 Open Source
DefenderYara by roadwy
Interesting repository of YARA rules extracted from Windows Defender. Kind of goes to show that you should treat detection rules as non-proprietary, since folks will find them, ESPECIALLY if you are running it on their computer.
CloudGrappler by Permiso-io-tools
Link to the CloudGrappler project that I posted above under “State of the Art”. Checkout ./data/queries.json
for some great detection rule examples!
IndicatorOfCanary by HackingLZ
Move over Indicators of Compromise (IoC), all I care about are Indicators of Canary (IoCs). I’ve heard from several red teamers that canary tokens do a great job of identifying red team operator activity, so it makes sense to me there is now anti-canary research. I’m a big believer in any type of research that challenges our assumptions as defenders (so yes, please keep publishing OSTs) to make our defenses better.
SpyGuard by SpyGuard
Interesting open-source fork of Kaspersky's TinyCheck, that helps users detect compromise by monitoring network flow. I really like the table for use cases because it shows that folks other than security (like Journalists, NGOs, and victims of Stalkerware) need our tools as much as our enterprises do.
scanme by CyberRoute
Open-source portscanner written in Golang. The author says that it’s intention is not to replace nmap, but to understand on a deeper level how portscanners work. I suggest everyone who wants to get into security to rewrite a part of a famous tool, because it gives you a deeper appreciation into the time and effort folks before us put into these tools and techniques.