Welcome to Issue #81 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
A deep dive into Entra ID Identity Protection for Incident Response by Invictus Incident Response
This blog is an incident responder’s view on a detection product from Microsoft: Entra ID Identity Protection. Invictus always brings the receipts when they write blogs like this one: practical advice, detection opportunities, and real-world examples. What I like about the “Identity” layer with threat detection is that it almost always starts at the same place: someone signing in.
From there, you can track the riskiness of that sign-in and see how those heuristics can tip the score into a security incident. Other fun identity compromise scenarios include risky workloads, so basically, “non-human” accounts are doing things outside the norm. Invictus says they haven’t seen as many finding types for non-human identity workload compromise in Azure, but I’m sure they’ve seen so much on the AWS side with long-lived access keys.
Here’s a key detection detail: let your workforce do the work to confirm or deny a detection for you:
During a recent investigation, we encountered a user with a high-risk level. Upon reviewing the user's details, we discovered multiple events, including an instance where an administrator confirmed the user as compromised. However, because no Conditional Access policies were configured, this action did not trigger any automated responses/remediation in the backend.
🔬 State of the Art
Introducing Sigma Specification v2.0 by Nasreddine Bencherchali
All aspiring and current detection engineers should be familiar with Sigma. Full stop! Nas and the SigmaHQ team are doing some more amazing things for the community and recently announced their v2.0 Sigma Specification. With much more flexibility in metadata fields, correlation rules, filters, and a JSON schema, you can write more rules for more scenarios and convert them to your SIEM-du-jour.
I’ll link the Sigma Specification in the Open Source section below!
A new model for understanding extortion groups by Robert Boyce
Another maturity model! It’s maturity model month here at Detection Engineering Weekly. On a more serious note, this one is SUPER interesting because it’s applied to ransomware group capabilities rather than internal security. Boyce and the Accenture intel team leverage this model to apply ransomware groups on a two-axis graph based on the predictability and stability of the group’s operations. The team then does case studies on ALPHV-ng and Qilin to show how they’ve evolved or devolved over time.
My Methodology to AWS Detection Engineering (Part 1: Object Selection) by Chester Le Bron
When anyone first gets started in threat detection, whether writing rules or consuming alerts, one thing that becomes apparent in a real environment is how some alerts are helpful. Still, they may not indicate a breach or attack. Le Bron covers an example of this phenomenon in AWS via the CreateUser event. The problem, IMHO, is that many alerts are designed as decorators for context around several events rather than a singular, atomic event.
Luckily, Le Bron offers a practical solution to this alert fatigue scenario: aggregated and risk-based alerts. By pinning a source entity to a risk_object, you can group by several alerts on that risk object within a timeframe and assign a score. If it exceeds a threshold, you can investigate it further. Risk objects or entity-based-alerting are a clever way to reduce alert triage, but it does require a ton of tuning based on the context of your environment.
[EN] Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! by Orange Tsai
Web server technology vulnerability GOAT Orange Tsai just dropped research on several vulnerabilities he found in Apache. I've really enjoyed reading Tsai's work over the years: he has a knack for understanding the interoperability of web server technology (think Flask → Nginx or Apache Module → Apache Module) and finding ways to attack the reliance on these relationships. Tsai showcases a new attack type, "Confusion Attack", that looks somewhat like a confused deputy, on these server modules where several modules modifying an incoming request can be abused in a particular order.
Shorten your detection engineering feedback loops with Grimoire by Christophe Tafani-Dereeper
** Note, I work at Datadog and Christophe is my colleague **
Grimoire is Christophe's latest contribution to the cloud detection engineering and threat emulation space. Whenever an attacker or detection engineer executes a payload on an AWS environment, it's hard to see which telemetry resulted from the exact payload. Jared Atkinson calls this "necessary telemetry", so you can't infer the attack occurred unless you have the right outgoing telemetry on CloudTrail.
Using Grimoire, Christophe also updated the Stratus Red Team website with the Detonation logs from each technique. Amazing stuff!
🎙️ Detection Engineering Media
Randy Pargman joins the DISCARDED crew and gives some amazing insights into how Proofpoint research leverages threat intelligence to drive detection engineering and threat hunting. I’ve always thought threat intelligence, when used appropriately, is a force multiplier for detection teams.
Randy also runs DEATHCon, a practitioner-heavy detection engineering conference.
This is not a threat detection podcast, but I highly recommend listening if you are interested in threat intelligence. The fog of war is real, and this latest incursion from Ukrainian forces into the Kursk region in Russia really highlights the information asymmetry of the battlefield versus in media.
Galeotti also has a thoughtful segment at the end of the episode, where he comments on how people almost always want a “for sure” answer to any emerging event, and do not appreciate fog of war or uncertainty. This is the job of an intelligence person, whether in physical war or cyber war, to not just remove uncertainty, but highlight uncertainty and contain it for their consumers to understand.
☣️ Threat Landscape
CyberAv3ngers by Rewards for Justice
The Rewards for Justice program, instituted by a 1984 "Act to Combat International Terrorism" and the State Department, offers rewards for information leading to arresting individuals targeting U.S. infrastructure violating the CFAA. They recently posted a reward for the CyberAv3ngers, with a dox of some of the actors, to the general public.
It's interesting to read some of these intelligence disclosures in public postings and see the alleged faces of the people who carried out attacks. In this case, the CyberAv3ngers are wanted for carrying out attacks against PLCs in the U.S. with their infamous message:
“You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
Iran Targeting 2024 US Election by Clint Watts
I'm both happy and sad reading this report. I'm happy that we've learned a lot since 2016 regarding influence campaigns in U.S. elections. I am sad because some of the examples Microsoft cites are egregious and unethical to the "common citizen" of our country. According to Microsoft, Iran-aligned influence operators have been busy creating fake websites and news organizations on both sides of the political spectrum and trying to target political officials within candidate groups.
Elon Musk Blames DDOS Attack on X for Crashing Trump Interview by Matt Novak
Suspected head of prolific cybercrime groups arrested and extradited by National Crime Agency
It looks like the National Crime Agency apprehended "J.P. Morgan," a prolific cybercrime actor, alongside the U.S. Secret Service and FBI. The law enforcement cohort investigation is nearly ten years old, and they found several actors responsible for ransomware strains like Reveton and Ransom Cartel, as well as the Angler exploit kit. Angler reached around 100,000 devices at its peak and had an annual revenue of $34 million USD.
The cybersecurity kids aren’t all right by Aaron Bugal
Unchecked or misunderstood mental health issues are part of the threat landscape, too, y'all. In this post, Sophos researchers, alongside Tech Research Asia, surveyed security professionals on burnout. The results are staggering—eighty-five percent of survey takers declared they had employees who suffered from burnout and fatigue. Lack of resources, day-to-day monotony, and apathy towards their place of work all contributed to burnout.
I appreciate Bugal's section on What needs to happen: many respondents blamed the lack of culture in cybersecurity from senior leaders all the way up to the board level.
🔗 Open Source
PANIX by Aegrah
PANIX is a multi-arch shell script that focuses primarily on persistence techniques on Linux. According to the author, it prioritizes functionality over stealth, so it’s a great tool to wet your feet in detecting persistence on Linux systems.
sigma-specification by SigmaHQ
Sigma project’s rule specification repo. This is the 2.0 release link that I linked above.
Maestro by Mayyhem
Post-exploitation tool that leverages Microsoft Intune and EntraID from a C2 agent. This was launched at DEFCON Demo Labs this year.
BadZure by mvelazc0
Intentionally misconfigured Azure AD tenant builder. It builds a diverse set of entities within the tenants, and creates several attack paths via misconfigurations. Great for testing and practicing attack paths on Azure AD.
grimoire by Datadog
GitHub link to Christophe’s grimoire tool linked above in State of the Art.