Welcome to Issue #63 of Detection Engineering Weekly!
This week’s recap:
💎 by Geoff Belknap on the importance of building relationships and influencing others in a security organization, rather than being an enforcer
Page Glave has high high hopes for managing security ingest costs, Omer Singer reminds us that MITRE ATT&CK is a lexicon rather than an exhaustive taxonomy, Charles Chi on exploration versus exploitation styles of work, Jonas Bülow Knudsen scares us all with a BloodHound deepdive on Exchange and Alex Teixeira wows us with Sankey Graphs for threat detection
Definite top 10 podcast by Darknet Diaries on security research behind call center scams
Sekoia and CERT OCD deep dive on residential proxy networks, Junestherry Dela Cruz and Peter Girnus on TeamCity exploitation in the wild, The Brutus Botnet unveiled by a very annoyed engineer, Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri and Tzachi Zornshtain track a massive supply chain attack against PyPi packages and SentinelOne researchers Juan Andrés Guerrero-Saade and Tom Hegel discover Russia-linked AcidPour
plus so much more!
Quick programming note:
I’ll be joining Anton Chuvakin and Timothy Peacock on the Google Cloud Security Podcast next week! We’ll be talking Detection Engineering, Cloud Security, Vendor products.. what more could you need? You can see the LinkedIn live event link below, and I’ll post the episode after our talk!
Register: https://www.linkedin.com/events/7178484625822900224/comments/
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Social Work, not Law Enforcement by Geoff Belknap
Have you ever read The Phoenix Project? It’s a cautionary, fictional tale about how businesses stuck in the past treat IT operations as a necessary evil and, at times, a crutch rather than a critical component to a successful business. The workplace inside this book is about as toxic as you can get regarding a dysfunctional IT department. What’s even worse? The CISO in this story:
A serial complainer.
A “boy who cried wolf”.
An enforcer who waved a stick that no one thought was dangerous.
I think about that book a lot about my job in security, and posts like this gem help remind me why we are here as security people. Belknap describes how the old security department model involves a team of people enforcing rules and building controls that put people in a box. I’m glad that most security departments try not to do this. Still, just like The Phoenix Project, they forget everyone else is trying to do their job.
Even if you scope this down to a detection function, are you partnering with analysts, engineers, and incident responders, or are you throwing things over a wall and blaming them when things go wrong like too many false positives or your runbook isn’t clear enough?
🔬 State of the Art
Panic At The Ingest by Page Glave
Rightsizing and maintaining your SIEM ingest can be as much an art as it is a science. In this post, Glave explores some of the most pain-inducing questions you have to ask yourself, and maybe your SIEM vendor, when you have a spike in log ingest. Hitting index limits can skyrocket a bill, whether with a vendor or a cloud provider, and security is a cost center, so you don’t want to make it more of a cost center! I like Glave’s recommendations here, and they show that the “engineering” in detection engineering is just as crucial as the catching bad guys part.
Stop Playing MITRE ATT&CK Bingo by Omer Singer
What does it mean to have detection coverage? It’s a complicated question: creating coverage for MITRE introduces a selection bias. There are tactics and techniques not on ATT&CK, but many are, right? But how much coverage is good enough per technique? Singer details the tradeoffs of increasing coverage, giving your leadership a false sense of security, and providing ways to reduce this bias.
The Exploration vs. Exploitation Tradeoff: Navigating Life’s Choices by Charles Chi
Chi outlines two machine learning strategies around exploration versus exploitation in this detection-engineering adjacent post. Exploration involves taking chances to build new models or explore new types of solutions to problems. The risk is high: this can usually fail, but the payoffs can be big if you find or learn something new. Conversely, exploitation involves tuning what you already have to be as efficient as possible, relying on what you know, and squeezing every optimization out of the model.
If you compare and contrast this to detection engineering, you’ll see some applicable techniques. For example, when you onboard new data sources, how much are you relying on a data model or prior knowledge of attacks in that data source versus going through a threat-informed exploration approach and trying new detections altogether? The risk-reward is obvious to detection folks in this example. Still, it’s nice to call out as you recognize that each contains its payout probabilities.
Pwned by the Mail Carrier by Jonas Bülow Knudsen
This pithy blog post is chalk-filled with all kinds of Active Directory permission nuance regarding Microsoft Exchange. The content at Specter Ops comes easy to researchers once they run BloodHound - Knudsen loaded up a fresh install of 2019 Exchange on a lab environment, and the permissions graph lit up like a Christmas tree. Knudsen investigates the three different permission models with an Exchange install and highlights the risks in attack paths amongst all three.
Boost your Security Monitoring reports with Sankey Diagrams by Alex Teixeira
I’ve always had a problem with pie charts. They are deceptive little creatures, and for the most part, whenever someone asks me, “Should I use a pie chart?” my answer is always “No”. So, what’s the alternative, especially when you are trying to apply statistics to threat detection? Sankey Diagrams are the new hotness, and in this post, Teixeira describes why. These diagrams encode data flow and proportionality directly into the graph, so it’s easier for humans to understand and differentiate each data source and sink.
He also neatly visualizes multiple-step Sankey diagrams in the sense of Alert → Severity → Final Status to answer “was it an investigation or not? These powerful types of graph visualizations can help your colleagues and stakeholders align quickly with your findings, and I’m sure there is a manager somewhere (including myself!) that drool over cool diagrams.
🎙️ Detection Engineering Podcasts
Slow ~few weeks for detection podcasts, so of course, when a new Darknet Diaries drops, I get excited! In this episode, Jack interviews Jim Browning, a YouTuber who does security research against scam call centers. He’s got some wild stories in here, including getting access to a call center’s CCTV system, and calling into it to see who’s answering the phone.
☣️ Threat Landscape
Unveiling the depths of Residential Proxies providers - Sekoia.io Blog by Amaury G., Livia Tibirna, Grégoire Clermont and CERT OCD - World Watch team
This blog post is a fantastic deep dive into residential proxy providers, which are (in this newsletter author's humble opinion) grey ware offerings that muddy the waters of detection in numerous ways. The basic premise behind these offerings is that you can purchase IP addresses to proxy traffic for all sorts of things, and many of these companies say you should use them for legitimate purposes only. However, KYC can differ significantly between them, and actors get access to victims' residential IP addresses, allowing everything from account takeover to fraud and even nation-state activity.
TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types by Junestherry Dela Cruz and Peter Girnus
Tell me if you have heard of this story before PoC gets dropped for an N-day vulnerability, and threat actors deploy open-source malware on vulnerable devices within a day. According to Trendmicro Researchers Dela Cruz and Girnus, actors quickly weaponized the PoC to deploy Jasmin ransomware, crypto miners, and some other open-source malware. I sometimes wonder how boring this field of Internet-wide N-day exploitation would be if we threw everything behind a VPN. Then, I realized VPNs also stink at security, so I just cried into my hands instead and moved on.
The Brutus Botnet by An Annoyed Engineer
Speaking of residential proxies, I'm seeing posts like this one by An Annoyed Engineer on some massive credential-stuffing campaigns rotating from non-traditional IPs. Whenever I see "non-traditional" in blogs, my residential proxy senses tingle. The peculiar thing about "Brutus" is that it uses many username combinations that have not been observed in data breach dumps in the past, so it could indicate the usage of a significant, undisclosed breach or combo list in the cybercriminal ecosystem.
Over 170K Users Affected by Attack Using Fake Python Infrastructure by Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri and Tzachi Zornshtain
Can we freak out about open-source supply chain attacks yet? And I'm not talking about super complicated scenarios where someone steals a signing key and can commit something malicious to sigstore; I'm worried about scenarios like the above. I'm most concerned by account takeovers of contributors who maintain packages for hundreds of thousands of users. This scenario is the first time I've seen attackers leverage a typo-squatted registry to hide malicious packages, so they are starting to understand the nuance of the open-source supply chain ecosystem more and more.
AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine by Juan Andrés Guerrero-Saade and Tom Hegel
SentinelOne researchers uncovered a malware variant of AcidRain, a malware family used during the Russian invasion of Ukraine to wipe out satellite modems. AcidPour targets Linux devices, but their analysis couldn't determine which devices specifically. What they did find out was that the developers of AcidPour compiled it for x86, and it was built to destroy data on most likely embedded systems.
🔗 Open Source
bincapz by chainguard-dev
This binary analysis toolset leverages a combination of fragment analysis and YARA rules to triage binaries for malware analysis quickly. The devs framed the usefulness of this tool by saying it's a great "first-step" analysis of an unknown binary, similar to "strings". It has a diff-mode that lets you analyze changes in binaries to find potential supply chain attacks, which I think is pretty clever.
OCD_WorldWatch_Ransomware-ecosystem-map.pdf by cert-orangecyberdefense
The good folks at CERT ORANGE published their latest Ransomware ecosystem map. It includes 2024 mappings and lineage, as well as some law enforcement takedown notes, which is especially relevant for LockBit/AlphV.
azurenum by SySS-Research
Python-based Azure enumeration tool using the standard library to enumerate all kinds of Entra ID goodies. You just need valid Azure credentials and a python runtime to get started.
reverser_ai by mrphrazer
Binary Ninja plugin that uses locally hosted LLMs to assist with reverse engineering tasks. It looks like the core feature is leveraging an LLM to read decompiler output and rename a function to something more human-readable, which is super helpful in itself.
bad-opsec by jermanuts
Fun collection of in-the-wild examples of bad operational security. I had to laugh at a few of these because we have so much OPSEC knowledge at our fingertips, but hubris or ignorance typically interfere with these operations and then they get found out.