Det. Eng. Weekly #70 - It's hot detection summer
Good vibes and low false positives πββοΈπββοΈ
Welcome to Issue #70 of Detection Engineering Weekly!
Iβm in the greatest city in the world this week hanging out with the research and detection engineering teams here at Datadog. Itβs so cool to see how much this field has grown, and how as an org, weβve adopted (and led) so many different efforts to bring threat detection into our internal security and our customers.
Datadog has somewhat of a sticker secondary market, and we managed to put βHackermanβ and βDatadogβ together to make Hackerdog:
Iβll be taking a train to Washington DC for Sleuthcon on Thursday and presenting my talk on Financial Crime in the Cloud. Excited to see some amazing content from a TON of people Iβve featured on this newsletter.
βͺ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
π Detection Engineering Gem π
The Analyst vs The Engineer by David Burkett
In my career, I've interviewed hundreds of candidates and reviewed thousands of resumes. When I am on a call with a candidate, one of the first questions I ask is, "What's your security origin story?" The basic premise behind the question is that our profession is unique in terms of the paths into it: for a doctor, you go to medical school; for a welder, you go to welding school. However, for a security person, no "security" schoolΒ gatekeepsΒ who enters and who does not.
This blog post by David helps demystify one of the many tropes in security: you should operate the equipment before you should secure it. The whole point of security is that its participants come from a massive range of backgrounds and disciplines, and it comes down to the mentality and willingness to learn rather than pure experience in anything.
On the other hand, telling someone they cannot be a security engineer (or detection engineer!) because they didn't write production-grade software before is also a slippery slope. Does it help? Yes. Can it be trained? Also, yes. As long as you have the support structures to do so, it's a mentality thing. Here's my favorite quote:
The point isnβt that engineers canβt make good analysts or vice versa. In fact, the most skilled cybersecurity professionals often excel in both areas.
π¬ State of the Art
Examining the Deception infrastructure in place behind code.microsoft.com by Ross Bevington
Infosec Twitter ruins the day yet again! Suppose you've ever seenΒ code.microsoft.comΒ in your logs or intel feeds. In that case, you may have noticed exploit traffic or temporary attacker infrastructure taking advantage of the dangling subdomain.Β ThisΒ was originally a vulnerability, but the Microsoft team built a honeypot instead of fixing it.Β
In this post, Bevington outlines the peculiar history of the subdomain, some of the exploit traffic they've seen over the years, and the unfortunate discovery by infosec Twitter that it's a honeypot, resulting in its shutdown.
The Crucial Test of Security Leadership: A-grades vs. Pass/Fail by Phil Venables
Itβs rare to find security content focused on the leadership component of running a security team versus the technical posts most of the community reads. Venables is a long-time leader in the space, and itβs cool to see his thought process behind leadership, and how it can be applied to my day to day as a leader, but also as a follower and individual contributor.
Security people are professionally paranoid - which can lead to rabbit holes and making things perfect before moving onto the next thing. This leads to burnout and wasting time, since not everything can be perfect. So whatβs the balance? Venables calls these A-Grade vs Pass/Fail solutions. The question you should ask yourself is: does this solution fit the need, and can it get by on that? If yes, then great, D for degree! But, if you need something that truly looks and feels like an βAβ project, make sure it aligns with your prioritizations as an organization then go forth and conquer.
Part 1 : Threat Detection Engineering and Incident Response with AuditD and Sentinel by Truvis Thornton
Iβm excited to see more Linux threat detection content! I featured Thorntonβs blog previously on setting up Auditd in Sentinel here, and it looks like they started a multi-part series diving deep into auditd threat detection. Thornton starts with a hypothesis: malware droppers tend to leverage the /tmp
directory for executing binaries. In production systems, though, this can get tricky since /tmp
is leveraged for all kinds of operating system functionality. Assuming you donβt restrict executions there, you can leverage auditd to monitor for interesting events and alert on malicious script and binary executions. Sentinel has some powerful querying capabilities, and it looks like a great toolset for Linux threat detection.
YARA is dead, long live YARA-X by Victor M. Alvarez
A new version of YARA dropped! YARA-X is a complete rewrite of the core YARA tool in Rust. According to Alvarez, much of this rewrite stemmed from the limitations of maintaining a "medium-sized"Β project in C. Still, Rust offered several advantages in terms of language primitives that require way more effort in C.Β There'sΒ a prettier CLI, which is mostly compatible with existing YARA, and it has a lot of speed gains that will make it easier to use, especially if you are running this at scale.
What is a Threat Cluster? by thesilence
I've always wanted to read a prescriptive playbook on group "threat clusters." Luckily, this blog helps out with that! Suppose you read "clustering"Β blogs from Microsoft, Mandiant, or Crowdstrike in theΒ bigΒ intel firm space. In that case, you might notice numbered threat groups that these firms observed but need more information on. I think UNC groups from Mandiant are the most well-known example. So,Β thesilenceΒ helps uncover some of these clustering techniques using Synapse.Β It gives a playbook onΒ how to add and tagΒ a cluster so you can return to it later when you observe more activity.
ποΈ Detection Engineering Podcasts
This is an amazing podcast by the folks at Mandiant, who describe how they analyze 0-day exploits in edge devices. Many of their initial assessments in customer environments help them group threat activity, but the interesting part, in my opinion, is how after the vulnerability is disclosed, there's follow-on activity that makes it hard to do more analysis.
"LinkedIn"Β scale is quite a massive, well, scale! The company that brought us one of the most performant message queues, Kafka, leverages it for its threat detection program. It wasΒ coolΒ to hear how Bollinger and his team solve threat detection issues. The especially interesting part is how they are trying to solve log source onboarding from dev teams.Β It'sΒ a clever use of LLMs to suggest log formats toΒ devs onboardingΒ onto their system.
β£οΈ Threat Landscape
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID by Daniel Stepanic and Samir Bousseaden
ThisΒ is aΒ pithyΒ breakdown of recent LATRODECTUS samples from the Elastic research team. It's definitely not as easy to say as ICEDID, but the researchers break down the infection chain by the new malware strain and note that it might be a more attractive replacement since Qbot and ICEID were recently taken down. AnΒ interestingΒ part, in particular, is that there's functionality to execute ICEDID payloads.
Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices by Volexity Threat Research
This post follows Volexity's disclosure of CVE-2024-3400 last month. Several updates here include observations from incidents they worked with clients on. You can tell that some of these threat actors read our blogs: as soon as their disclosure went out, exploit activity increased from some of the clusters performing the 0-day exploit. There are some excellent detection opportunity snippets in the various log sourcesΒ there, so it's cool to seeΒ edge device threat detection opportunities.
SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats by Rockwell Automation
It'sΒ been 0 days since a vendor provided guidance to disconnect their device from the Internet to prevent exploitation. I find it interesting that appliance companies have to do this kind of P/R cleanup because their security is so bad that theyΒ can't...Β I don't know, patch it?Β They also recommend that you just shouldn't connect any of their devices, ever, to the Internet to prevent exploitation. Ugh.
Hunting Black Bastaβs Cobalt Strike by Intel-Ops
There are lots of threat clustering blogs and content this week! Intel-Ops pulls apart the CISA Advisory onΒ BlackBastaΒ in this post and studies the associated IoCs to create cluster groups.Β It'sΒ cool to see how you can find overlaps pretty quickly once you start this exercise, youΒ need a sound methodology and data store. They find three distinct clusters within the report and
Springtail: New Linux Backdoor Added to Toolkit by Symantec
The Symantec research team found a variant of the GoBear backdoor, allegedly built by Kimsuky (DPRK), but with a focus on Linux. I've always found it funny how muchΒ harderΒ (IMHO) it is to perform persistence on Linux systems. It may be because it's much more platform-dependent based on the distro, or in many cases, it's NOT backward compatible like Windows NT technologies. Still, they build persistence like the rest of us.Β Crontab and malicious system servicesΒ - it feelsΒ like red-teaming CCDC all over again!
π Open Source
bash_tls by gh2o
A pretty wild pure Bash implementation of modern TLS 1.2. Clone, run it and pass in a website and itβll make an HTTPS request to your target website. I like the commitment to do this ALL in shell scripting!
AFFiNE by toeverything
Fully open-source alternative to Notion and other knowledge bases. If you like taking notes during your detection ideation or analysis tasks, but donβt want to put your data in someone elseβs cloud who will probably build a model on it, this looks like a great alternative.
awrbacs by lobuhi
AWACS for RBAC (with a sick AWACs picture in the README) allows users to test and audit permissions in Kubernetes. It focuses on CRUD permissions, so basically, impersonate a user, and try to see if you can find risky attack paths or configurations afterward.
yara-x by VirusTotal
Huge release by the YARA team! I linked the release blog post in State of the Art above, but this is the new Rust codebase for YARA. They have some helpful links to help users write rules using YARA-X (with some minor differences). It looks like YARA-X is much more performant in several situations with regular expressions, so you can write your non-performant rules and not worry about it anymore!
rigging by dreadnode
LLM interaction framework that makes it a bit easier to programatically leverage LLMs. Itβs kind of like an ORM for LLMs, and it looks like they abstract away a ton of the API call logic and backends for different models.