Det. Eng. Weekly #67 - Droppin' my NIST NVD diss track
🎵 NIST's analysis missing in action, left CVEs hangin’ like a bad connection 🎵
Welcome to Issue #67 of Detection Engineering Weekly! This newsletter focuses on the emerging field of Detection Engineering. Detection Engineers are the culmination of years of work in the threat detection space, with heavy emphasis on software engineering and modern devops practices.
If you are a first time reader, welcome! If you are a returning subscriber, thank you so much for your patronage.
Coming to RSA? Come find me for some stickers!
I’ll be in San Francisco next week and I am looking forward to meet up with friends, old and new! If you see me, make sure to say hi and grab some Detection Engineering Weekly stickers. I have some holographic ones :D I’ll be happy to chat everything security, threat detection, conferences and on the hunt for some great food in the city.
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The CTI Mindset & The CTI Function – Stranded on Pylos by Joe Slowik
Ever read a job description, get excited, and then get furious as you look at the skills the firm asks for? If you haven’t, you won’t be able to get the CTI job Slowik posts here unless you understand the fundamentals of plane and solid geometry (sic).
In this post, Slowik reverse engineers the growing “scope creep” of the CTI job landscape and, honestly, security jobs in general. He questions the necessity of this job given the firm’s headcount and mission set and then gives recommendations to firms, big and small, about applying the “CTI mindset” for any job in security, not just CTI jobs. He calls out the conflation of a specific function being a person rather than an intangible fabric that goes through your security operations.
I hope readers can relate to this through the lens of Detection Engineering. To me, a sound detection engineer has this CTI mindset: they review what is happening in the threat landscape, apply their knowledge and expertise, find the correct stakeholders to get the telemetry they need, and then decide whether to build a detection. Do you need someone else to do that for you? Maybe, but I think most detection engineers can benefit from the “mindset” that Slowik discusses here. Here’s my favorite quote:
If we fundamentally view CTI as a decision support function, improving the ability of individuals to make choices in information-limited and resource-constrained circumstances, having a dedicated analyst is a luxury but having CTI-informed processes is a necessity.
🔬 State of the Art
ATT&CK v15 Brings the Action: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights by Amy L. Robertson
The ATT&CK team released v15 of the ATT&CK Matrix, and there’s lots of good stuff in it! As I said in my UniCon talk, ATT&CK is THE model for threat detection. It has its faults, but all models are wrong, some are useful. They added an “Artificial Intelligence” technique under “Obtain Capabilities”, and it’s harrowing to think about how the baddies are smashing their heads against a keyboard to get LLMs to do nefarious things. I suggest giving the release blog and notes a read-over and contributing, if possible!
Implementing a Modern Detection Engineering Workflow (Part 2) and Implementing a Modern Detection Engineering Workflow (Part 3) by Dan Lussier
Part 2 and Part 3 of Lussier’s blog on Detection Engineering Workflow are out! I posted Part 1 as a gem in the last issue, and these two blogs continue building out rules in CI/CD, testing and validating them, suggesting changes, and updating them in Chronicle.
In part 2, you can see how Lussier implements the Detection Framework (forked from Palantir), ideates around rules via GitHub issues, validates their syntax, tests them, and deploys them into “production.”
In part 3, you can see the detection engineering lifecycle working as a flywheel: make changes, get them approved, and then kick off separate workflows to update the rule in production. There’s also a clever use of “reference lists” for exclusions in detection generation.
Demystifying the Process: Threat Detection Engineering Interviews by Julie Agnes Sparks
Note, Julie is my colleague at Datadog!
This is a great post if you are trying to prepare for threat detection and response interviews! Julie provides readers with her notes on her month-long endeavor of finding her next job, which includes interview structures, what to study based on the job type, and her decision criteria. It’s cool how she included the most important step for any interviewing panel: the interviewee interviewing the company.
JA4T: TCP Fingerprinting by John Althouse
In this post, Althouse delved into passive TCP fingerprinting using the newly released JA4T library. If you are familiar with JARM and JA3S, this is an upgraded framework with all kinds of goodies to help you fingerprint traffic. If you are unfamiliar with TCP, Althouse went into deep detail on how it works on an operating system level and then compared and contrasted JA4T to other fingerprinting tools.
I love this tool because it’s open-source. It helps defenders via passive fingerprinting and threat hunters and detection engineers by pivoting and identifying unwanted traffic.
NVD Program Announcement UPDATED - April, 25th 2024 by NIST
NIST provides an update on their NVD vulnerability update woes. Basically, the government organization can’t keep up with the number of vulnerabilities to analyze anymore. So, in February, they just.. stopped analyzing them. Two months later, they posted an update that they would only analyze “the most significant vulnerabilities” and work with inter-agency partners to develop a better solution.
🎙️ Detection Engineering Podcasts
My talk from UniCon is live! Feel free to watch it. The premise behind the talk is “Detection Engineering Trends.” I leveraged the 1.5 years of doing this newsletter to give five trends to conferencegoers. I tried shouting out a bunch of researchers who were featured in this newsletter!
Patrick Gray of the Risky Biz crew launched a new podcast series with Chris Krebs (former CISA & Microsoft) and Alex Stamos (former Facebook). In this episode, the crew broke down the latest XZ vulnerability and compared the hegemony of US tech to Chinese tech. They also dunk a little bit on Microsoft in light of the latest CSRB report.
In this Detection at Scale episode, Josh Liburdi joins Jack Naglieri to discuss how the Brex team rolled out its own security analytics pipeline. I’ve linked Substation before, but Liburdi goes into much more detail on the design decisions of their program and how they use Substation to execute it. I like how Liburdi talks about shifting enrichment and query cost before data hits the SIEM to make the SIEM “dumb.”
☣️ Threat Landscape
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices by Cisco Talos
Cya later, Palo Alto, my new favorite N-days are CVE-2024-20353 and CVE-2024-20359 on Cisco ASA! This is a particularly harrowing tail of Nation State activity because, as of the writing of this newsletter, the Cisco team has not figured out the Initial Access Method (a pre-auth exploit) that Storm-1849 used to gain access to ASA devices. The two CVEs disclosed here mostly focus on the persistence of ASA devices once infected.
UAC-0133 (Sandworm) plans for cyber sabotage at almost 20 critical infrastructure facilities in Ukraine by Simone Kraus
Simone Kraus does readers a solid and translates the latest Ukrainian-CERT advisory on Sandworm into English. The focus of Kraus’ article, and that of the advisory, is on two backdoors: Kapeka and QUEUESEED. Luckily, CERT-UA disrupted this campaign and released a ton of technical indicators to help ICS operators perform threat-hunting operations for hashes. This is the craziest quote from the advisory:
CERT-UA assumes that unauthorized access to ICS for a significant number of heat, water and energy supply facilities should have been used to enhance the effect of missile strikes on infrastructure facilities in Ukraine in the spring of 2024.
JFrog research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories by Andrey Polkovnichenko, Brian Moussalli and Shachar Menashe
JFrog researchers uncover a massive campaign of malware and phishing site actors targeting Docker images through Docker metadata fields inside the image. They found close to 5 million repositories on Dockerhub that had no photos but instead had content in their overview pages that directed folks off of Dockerhub. One Dockerhub image had a spam page for prescription medication. I sometimes marvel at how much spammers are ahead of the curve in delivering maliciousness to our inboxes or Dockerhub pages.
Assessing the Y, and How, of the XZ Utils incident by Kaspersky
It feels like the XZ backdoor was years ago, but it's been just over a month! The Kaspersky team visited some attribution notes from different folks' disclosures on the identity of Jia Tan and their accomplices. Seeing how we have enough data on this incident to put a timeline is incredible, especially the malicious commit plot linked halfway through the post, which was cool.
Hacker jailed for blackmailing therapy patients by Joe Tidy
A Finnish cybercriminal just earned a jail sentence for his breach at a psychotherapy clinic. The messed up part here: it's not just the breach that he got in trouble for, but also using the breach data to contact victim patients and blackmail them or he'd release their notes. The actor stole 33,000 people's confidential notes from their therapy sessions. According to BBC, this was the biggest criminal case in Finland's history.
🔗 Open Source
aws-scps-for-sandbox-and-training-accounts by welldone-cloud
This repo is a collection of service control policies that you can apply to AWS accounts to prevent misconfigurations, reduce long-term financial cost and modify specific resources in IAM. The primary use is for sandbox accounts, but it’s cool to see the release of SCP projects like this to understand hygienic IAM setups.
poutine by boostsecurityio
You’ve heard of cloud security posture management, but what about CI/CD posture management? Poutine scans CI workflows in GitHub and Gitlab to identify misconfigurations and provide recommendations for patching up your pipelines. I imagine running this on a detection-as-code pipeline might be relevant for lots of readers here!
messypoutine by boostsecurityio
Don’t believe that poutine can help scan misconfigured CI/CD pipelines? Well check out messypoutine - a GitHub organization with several repositories that have intentionally misconfigured pipelines. I like the idea of this “CTF GitHub org”, you submit flags via GitHub’s private vuln UI.
AHHHZURE by gladstomych
This issue is full of lab and GOAT environments to test all kinds of detections both in the threat and misconfiguration space! AHHHZURE is a deployment script that sets up a vulnerable Azure tenant for researchers to play with. There’s 5 flags to find and is free to run as long as you turn it off within 30 days.
MasterParser by securityjoes
Brand new Linux-based log parsing and forensics tool written in PowerShell. It currently only parses auth.log for now, but the output is pretty and I’ve always enjoyed PowerShell formatting way more than anything in bash.