Det. Eng. Weekly #66 - I sense Sisense breached by the sea shore
Sisense's sensor missense sensed no sensor defense
Welcome to Issue #66 of Detection Engineering Weekly!
This week’s recap:
💎 by Dan Lussier who starts a multi-part blog series on building a Modern Detection Engineering Workflow leveraging some nifty open-source projects
Graham Helton drops a forbidden body of Kubernetes-ATT&CK knowledge, Stefan Puzderca reveals detection opportunities to find and hunt for vulnerable Windows drivers, Adam Goss on exploiting everything you can from technical threat intelligence, Anton Chuvakin and Amine Besson talk testing detections in CI/CD and a doozy of an AWS vulnerability dropped by the magnanimous Nick Frichette
Podcast episodes by the newly minted DFIR Report Podcast by Kostas Tsialemis, and Detection at Scale interviewing Matthew Valites from SAP
Did you like my tongue twister AND word avalanche? Well youre gonna love this CISA Sisense breach disclosure! Volexity uncovers a Palo Alto 0-day exploited in the wild, Team82 documents a Ukrainian Critical Infrastructure attack against Russia, Hunt.Io finds a unique BlueShell sample and Greg Lesnewich and Crista Giering find some DPRK-aligned email conversations that are more than meets the eye
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
Programming Note: No newsletter issue next week. See you all on May 1!
💎 Detection Engineering Gem 💎
Implementing a Modern Detection Engineering Workflow (Part 1) by Dan Lussier
In this week's gem, Lussier makes a guest post on the Google Chronicle blog on how to stand up a detection workflow via detection-as-code. I'm excited to see that this will be a 3-part series. Lussier opens up the blog detailing their "Detection Engineering Workflow." It boils down to how someone can have a developer environment (Detection Framework & Lab), a repository to do unit testing and linting (Rule Sync, Creation & Testing), a CI/CD workflow (Review, Approve, Deploy) and an end-to-end test harness (Validation Testing).
I'm always a fan of blog posts like this one, where you can see the thought processes and reasoning behind building out something complicated, like a set of detection rules. It allows you to dive a bit deeper into the author's brain and see the pain points along the way. This is the first time I've seen the Ludus project in use as a detection lab "range," so I'll add that to the Open Source links below and clone this for later.
🔬 State of the Art
Kubenomicon by Graham Helton
Throw "nomicon" at the end of anything and it immediately gets cooler, especially if it's marketed as a body of knowledge! This site serves as a wiki and reference for Kubernetes attacks and detection opportunities, and it's mapped across MITRE ATT&CK. Helton also draws inspiration from Microsoft's Kubernetes Threat Matrix. Some techniques, like Writable hostPath Mount, contain Example Attack scenarios for readers to emulate locally.
Strategies to monitor and prevent vulnerable driver attacks by Stefan Puzderca
In this post, Puzderca, a Microsoft DART responder, provides detection opportunities to monitor and detect LOLdriver attacks. I am happy to see the author reference LOLdrivers in their post because the folks over at the lololfarm put a lot of work into this dataset. The wonderfully terrifying thing about these vulnerable drivers is that they are a) digitally signed with a trusted certificate and b) can be (and have been) abused to do all sorts of techniques along the attack chain, like privilege escalation. Puzderca provides threat-hunting queries and several ETW detection opportunities from the LOLdriver list.
Top 5 Challenges With Indicators and How to Overcome Them by Adam Goss
Technical threat intelligence, which includes indicators of compromise (IoCs), can be a great source of information for detection, hunting, and forensics. There are several problems with relying only on indicators of compromise due to the high pain threshold they can cause threat actors when all they need to do is change one bit inside a binary to render a different hash, for example.
Goss reviews some common "gotchas" with indicators and provides recommendations on how to manage the costs of leveraging IoCs.
Testing in Detection Engineering (Part 8) by Anton Chuvakin and Amine Besson
Anton, Timothy & I had a good discussion about CI/CD and detection-as-code on our podcast episode (featured in last week's newsletter). The security discipline needs to stand on the shoulders of giants, as in, we leverage work done by previous security practitioners. Still, I usually don't see it applied to other fields doing fantastic work and bringing other giants into security.
In this post, Chuvakin and Besson explore testing detection-as-code pipelines. They may start with unit tests but can quickly move to more notable/sexier terms like "adversary emulation" (integration test, anyone?) and purple teaming. Even the concept of retesting detections to avoid Detection Drift is regression testing in the software world.
Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover by Nick Frichette
Note, my employer is Datadog, and Nick is my colleague!
I am so excited to see this release! Nick worked super hard on this vulnerability and detection research. When you have major cloud service providers “hyperscaling” their offerings, balancing speed and secure design becomes an vital cost metric to consider. In this case, Nick found two vulnerabilities within the Amplify service within Amazon (their home-grown IdP), that potentially exposed customers using it. IAM is hard ;)
🎙️ Detection Engineering Podcasts
2-part episode from friends of the newsletter, The DFIR Report! In this podcast, the team breaks down a recent intrusion involving a OneNote phish, to IcedID, RMM and Cobalt Strike, to ransomware. It’s cool hearing the incident responders and analysts who worked on the case as they provide context and their expertise from several areas of security.
This is another great episode of Detection at Scale. Matthew Valites from SAP gives listeners a peek into how his firm manages detection and response playbooks across a large portfolio of companies. Valites' teams deploy a clever strategy: They use several playbooks and enrichment capabilities to provide context to their SOC and responders as they context switch between environments.
☣️ Threat Landscape
Compromise of Sisense Customer Data by CISA
The most significant breach news from last week is the disclosure of the Sisense breach by CISA. According to Brian Krebs' companion article, the attacker gained access to Git and AWS credentials, which were then leveraged to perform exfiltration of buckets that contained customer data. Looking at Sisense's documentation on integrations, you can imagine the kinds of data customers send to Sisense and configure using keys and secrets within their platform.
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) by Volexity Threat Research
The Palo Alto Vulnerability du jour dropped, and the folks at Volexity caught in-the-wild exploitation of it before the appliance giant caught wind. Volexity found actor activity that exploited a Palo Alto GlobalProtect appliance, dropped a reverse shell, and tried to download several other tools onto the vulnerable device. The clever thing about this reverse shell, UPSTYLE, is that it leverages looking for specific patterns in error logs to execute commands. Then, it wipes the logs and timestomps them to avoid detection.
Unpacking the Blackjack Group's Fuxnet Malware by Team82
According to Team82, a Ukrainian-affiliated group compromised a Russian-based "Industrial Sensor and Monitoring Infrastructure", known as Moscollector. The "Blackjack" group allegedly gained access to several critical infrastructure services, including emergency service numbers, destroying sensors, disabling network appliances, and removing physical access systems like keycards. It's a crazy story to read about due to the physical implications of a cyber attack.
BlueShell: Four Years On, Still A Formidable Threat by Hunt.io Research
The Hunt.io team found a variant of popular open-source C2 framework, BlueShell, on VirusTotal. They compared the sample’s configured C2 address with a C2 they were already tracking, and pulled apart the sample to see if it differed from the open-source code. They found a peculiar image embedded in the sample that shows a South Korean company woman speaking at a company seminar.
I prefer open access to offensive security tools because open-source tools provide plenty of detection opportunities. This blog showcases the benefit of OSTs. We have a good, known source of data (the BlueShell repo), and it was used to analyze a modified version of VirusTotal to find additional detections and signatures.
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering by Greg Lesnewich and Crista Giering
Proofpoint researchers have tracked DPRK-aligned TA427 interacting with various "policy-wonk" victims to engage in intelligence collection, but not the typical cyber threat-intel-y type. Lesnewich and Giering provide several examples of this actor asking pretty specific strategic analysis and policy-focused questions of victims to perform recon on victim organs for later targeting potentially.
This is the first APT writeup I've read in my 10+ years that doesn't result in an intrusion; rather, it's intelligence collection via developing rapport and having some pleasant conversations!
🔗 Open Source
ludus by badsectorlabs
Ludus was referenced in today's gem above, but this cyber range builder levers proxmox to build out all kinds of complex lab environments using YAML. You can use several DevOps tools like Ansible & Packer to roll out your templates too.
SSDT by the2dl
Another GitHub repo referenced in today's gem is SSDT, or "Stupid Simple Detection Testing." It is a Flask-based RCE-as-a-service that helps run commands quickly on a lab box to see what telemetry comes out the other side.
certReport by Squiblydoo
Automated TLS certificate takedown submitter. You provide a hash of the malware. This will query MalwareBazaar and try to see if the sample contains an authenticode certificate. Based on the cert data, it'll generate a nicely formatted email and give you the abuse inbox for the service that issued it so you can request a takedown.
awesome-secure-defaults by tldrsec
Yet another awesome-* list provided by friends of the newsletter, Clint Gibler and Rami McCarthy! awesome-secure-defaults contains dozens of references to "secure by default" libraries that can work on everything from Headers, Crypto, HTML sanitization and containers.