Det. Eng. Weekly #71 - AI next-gen cloud-based detection data ocean
Branding so good not even Kevin Mandia could leave my company
Welcome to Issue #71 of Detection Engineering Weekly!
I had an amazing time at SLEUTHCON last week! It was a privilege to be around so many like-minded threat intel and research professionals. I’ll make sure to link some talks once the recordings go up on YouTube, but if you have a chance to go, please do!
Some of my favorite memories:
Watching Jono Davis talk on Ransomware TTPs in Asia Pacific, then about halfway through the power to the Hotel gave out. He did not miss a beat and finished his talk with NO slides or microphone to a standing ovation
Meeting Allan Liska for the first time and thanking him for his work in the space, which so much of it has been featured on this newsletter. He also had a booth at the con showcasing Green Archer Comics, which are Comic Books that exclusively feature cybercrime fighting super heroes. He graciously gave me the first 3 issues of Johnny Dollar, which I read them all on the plane home. He has a kickstarter for his 4th issue, so please check them out and donate to his kickstarter!
https://www.kickstarter.com/projects/greenarchercomics/yours-truly-johnny-dollar-4-the-final-battle
Watching John Hultquist, the founder of SLEUTHCON, be an excellent MC and an even better model for the “Miami Vice” vibe at the con
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Utilizing Generative AI and LLMs to Automate Detection Writing by Dylan Williams
Walking around RSA this year, the marketing machine was in full hype mode. Everything was AI, and I couldn't help but laugh when the "ML" hype reached security operations ~10ish years ago. Something seemed different, though; it wasn't just the buzzword bingo: several firms were specific in how they phrased the use of AI and LLMs; it was refreshing!
In this post, Williams takes a practitioner's approach to generating detection content using LLMs and prompt engineering. It's super pragmatic and really well thought out. I haven't dove into prompt engineering techniques before, and seeing them applied to the detection engineering realm helped me understand these strategies way more than I would have just by studying them and experimenting with other random prompts.
The primary hypothesis behind Williams' approach is to reduce analyst toil. Analysts and engineers incur costs when they have much manual work or research to do. Take in intelligence, craft a threat detection strategy focused on behavior, create a rule, generate tests, and see if they pass. I can't wait to see if he releases his D.I.A.N.A. tool!
🔬 State of the Art
Behavior vs. Execution Modality by Jared Atkinson
Jared is back! In this post, Jared helps readers build detection opportunities using his function call stack methodology for NetSessionEnum. Windows is an OS full of several decades of libraries and operating system design. So, when you see tools like BloodHound and its underlying data collection tool, SharpHound, it seems like magic how it collects and graphs attack paths. So, how do you build a rule to detect SharpHound's use of NetSessionEnum?
This gets complicated when you plot how this function is leveraged amongst several attack tools, both native to Windows & open-source toolsets. Jared reverses each one and studies the API calls in a disassembler to learn more about how they function and find detection opportunities for each tool. He differentiates between execution and behavior modalities in these tools, which helped me understand how complicated Windows threat detection can get for even the most seasoned engineer.
Phishing 2.0 – how phishing toolkits are evolving with AitM by Luke Jennings
An answer to MFA technologies by adversaries is Attacker-in-the-middle (AitM) phishing toolkits. The basic premise behind these phishing pages is that you are technically viewing the actual login page of a target, but it's proxied through someone else's malicious infrastructure.
This can get hairy because they can ferry your MFA codes to the legitimate app, pass the session token off to you, and leverage the session token and access for additional impact. I thought Jennings did a great job of highlighting the landscape of these toolkits and looking at the impact once successful.
Rolling your own Detections as Code with Elastic Security by Mika Ayenson, Kseniia Ignatovych and Justin Ibarra
It's cool to see more security companies highlight wins and open-source their detections as code repositories. Elastic has been an "OG" in this space for years, and this post talks about several enhancements they've made to their detection ecosystem for Elastic security users.
The most interesting portion of this blog is their "Hierarchy and lexicon of concepts" section, where they've spelled out different approaches to detections-as-code. Do you want your detection repo to be the "authoritative source" and then commit out-of-the-box rules to it, or do you want upstream partners (like Elastic or Sigma) to be the authoritative source, and you sync it back down to your repo? Amazing stuff.
Non-Production Endpoints as an Attack Surface in AWS by Nick Frichette
It's finally live! My colleague, Nick, released a BANGER of a vulnerability research post on non-production endpoint discovery and exploitation in AWS. The TL;dr here is that the Shared Responsibility Model highlights, among many other things, that the cloud service providers are responsible for providing accurate, timely and available logging in services you run and configure. For endpoint users: imagine ETW in Windows or Auditd in Linux.
What if you found a set of API endpoints that made changes or interrogated production services, but they didn't get logged? That's where non-production endpoints come into play! I won't spoil it, but it's cool how Nick discovered these endpoints, using a technique from threat intel but applied to red teaming.
Why a Non-Technical Background Does Not Prevent You from Succeeding in Cyber Threat Intelligence by Ondra Rojčík
The great thing about security is the amount of diversity of experiences and thoughts. I talk a lot about this with my team and candidates at $DAYJOB: we look to add to our culture, not look for someone who is a "culture fit". I've worked with CTOs and Principal Researchers who never went to college, PhDs from completely different fields excelling in security, and those who had the traditional path of STEM degree into security. Everyone brings something different to the table.
In this post, Rojčík describes how the CTI field can benefit from disciplines like social science. He compares and contrasts how studying socio-political relationships of threat actors (the Capability/Adverary edge in the diamond model) stems from social sciences, not computer science. He gives several scenarios AND examples of their application where the field can benefit from different sciences.
🎙️ Detection Engineering Podcasts
This was another great episode of Risky Business News, but the interview was what I found the most interesting. After walking around RSA this year, it was evident that every firm was jumping on the AI and LLM train. Eoin Hinchy is the CEO of Tines, and he discussed how Tines navigated the application of LLMs in their product and how some of those navigations just didn't work. It was an honest take that I appreciated listening to.
Andrew Morris and Lauren Proehl join the Microsoft Threat Intel podcast to discuss all things infosec. Products, marketing, and what it means to be a CISO are all discussed, with lots of spicy takes. This is the first time non-Microsoft guests have joined the podcast, and it was a great listen on the way back from SLEUTHCON!
☣️ Threat Landscape
Stark Industries Solutions: An Iron Hammer in the Cloud by Brian Krebs
Residential proxy services and cybercrime: a match made in heaven! Krebs peels back the infrastructure and actors behind Stark Industries in this expose. This network helps run 100+ VPN and proxy services, almost all exclusively leveraged by cybercriminals to conceal their source IP as "legitimate." Krebs finds the "Secretary" of Stark and pivots on some publicly available info from his profile to link him to all kinds of accounts on the criminal underground.
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks by Microsoft Threat Intelligence
Back in my day, when you wanted to pirate a game, you'd have to find a reliable torrent from some sketchy website and hope their GameCrackerNotAVirus.exe was indeed not a virus. Maybe Moonstone Sleet got owned by backdoored video games as well? The MSTIC team released a post on upgrading this actor from a Storm- designation to a full-on APT group. One of their TTPs involves a pretty elaborate setup for an NFT tank game that will run their malware once downloaded.
Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet by U.S. Department of Treasury
I hope the collective "we" are releasing the hounds on res proxy services. The U.S. Department of Treasury announced sanctions against three individuals who run the "911 S5" residential proxy botnet. They would infect residential devices and leverage that infection to route traffic to those who wanted to pay. This is particularly useful for situations where you want to appear to originate from a legitimate IP, and it helps thwart anti-fraud and detection engines.
CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive by Zach Hanley
Oof. I sometimes look at appliance vulnerabilities and scratch my head in disbelief. I know this field is demanding, but shouldn't you have a higher standard for vulnerability hardening if you run a black box appliance? This CVE is a follow-on continuation of CVE-2023-34992, where the payload moves from one argument to another, and boom! You get RCE.
BreachForums Resurrected after FBI Seizure by Pierluigi Paganini
To the surprise of no one, ShinyHunters resurrected BreachForums after being taken down by international law enforcement officials. I'm of the ilk that forums like BreachForums are a lot of hype with little substance and can sometimes distract analysts. I know because I used to work on accessing these at previous employers. ShinyHunters allegedly rebuilt the forum, so only time will tell if it's an FBI plant or the real SH.
🔗 Open Source
Security-Risk-Register-Template by firstprinciplesecurity
Template for an information-security focused risk register. I like the depth of this: it’s cool to see different approaches to criticality. I’d find it hard to quantify the “likelihood of threat event initiation”, but if you can nail that with some general threat landscape knowledge from intelligence functions, it can help a ton with prioritization.
CVE-2024-23108 by horizon3ai
Payload & PoC for Fortinet SIEM linked above under threat landscape.
sudo by Microsoft
Sudo for Windows! It’s a “Windows-specific implementation of the sudo concept” for the Windows operating system. I did link a story about it’s implementation in a previous issue, Issue #58, and the quick rundown by Tyranid here.
no-defender by es3n1n
Pretty wild way to disable Windows Security Center leveraging undocumented APIs. Basically, there are APIs to let Windows know that there is another antivirus installed, so it should turn off the Security Center. ¯\(ツ)/¯