Det. Eng. Weekly #89 - My AWS bill is like a fleet of buses for a rally
Unpaid. I forgot to pay my $9.00 AWS bill.
Welcome to Issue #89 of Detection Engineering Weekly!
I’ll be heading to the greatest city in the world, New York City, next week to do some Datadog things. Expect a regularly scheduled newsletter, but perhaps with pictures of me drinking a coffee in our cafeteria with a scenic view of Manhattan :).
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
If I had to give advice to any aspiring security engineer, or really to myself much earlier in my career, it would boil down to: “learn how to prioritize.” Humans stink at absolute measurements. I talked about this at length for alert severity calculations here. Still, the same is true for other parts of security. For detection-adjacent folks, it’s alert queues; for our developer counterparts and vulnerability management heroes, it’s vulnerability patching.
The idea behind systems like CVSS and EPSS is computed scores that you can sort and take from the top, so to speak. The problem with both is that they are missing context: threat actors aren’t logical beings, and things we may think should be important to them may not be, or we may miss a key data point (such as exposure on the Internet) that they latch onto.
Berthoty explores this context problem at length within two buckets: vulnerability intelligence and environmental context. Is SSH a critical service exposed on millions of hosts on the Internet? Is there an 8.1 CVE out for it with a PoC? Both, yes, but if you have a difficult-to-use PoC, like in the case of regression, or you don’t have publicly exposed SSH servers, you can significantly reduce the urgency of patching.
This problem is detection-engineering-adjacent because you want to supplement the threat and environmental context with good inventory management and detection coverage. If a patch is missing, but you can enable “more noise” on assets vulnerable to a significant vulnerability and absorb that cost while a patch is being rolled out, your detection team becomes more than just an alert factory but a business enabler
🔬 State of the Art
Open Sourcing Venator by Adel Karimi
I linked Venator in last week’s issue but missed the launch post. Sorry, Adel!
Venator is an open-source threat detection service that leverages native Kubernetes primitives (CronJob) and Helm so you can quickly build, deploy, and maintain detection rules. The idea behind it is to remove the reliance of rule building on a SIEM and prevent vendor lock-in. The cool part about Venator, IMHO, is the observability context on detection rule health outside detection quality. Did rules run at all, did any jobs fail or did a connection to a sink fail?
It ships with several configurable connectors, a DevOps-first approach, and a neat LLM integration to run correlations between rule outputs.
What Makes a “Good” Detection? by Dylan Williams
Measuring detection health is an art and a science. It’s an art in that, at the end of the day, the consumers of your detections can qualitatively tell you whether the alerts you generate give them pain. Did you provide enough context, threat intel enrichment or environmental enrichment? Is it just a terribly documented rule with a confusing name or description? Analysts and detection engineers should yearn for quantitive measurements: MTTR, MTTD, false positive, and true positive ratios, all good barometers for health. But are these the only two buckets? Pain and something in statistics?
Enter Dylan’s blog post on a multi-dimensional approach to measuring detection fidelity. He hypothesizes that you should have both qualitative and quantitative measurements because they are helpful! Inspired by Claude Shannon, Dylan developed an algorithm to assign weights to 5 different areas of detection quality, and each area contains a formula itself or relies on an LLM to judge the quality. These numbers are multiplied to give a score, which you can use for detection quality.
I wanted to see more on how exactly the LLM-based evaluations worked. For example, Analytic Robustness has LLMs leveraging MITRE’s Summiting the Pyramid model, so you have a general idea of how to compute it. Still, the next sub-criteria, detection logic quality, only has “LLM-based eval” marked underneath it.
Not all types of MFA are created equal... by Andrew A, NCSC
The NCSC published new guidance surrounding MFA usage for cloud-based corporate services. They specifically quoted the recent Snowflake customer incident story, which makes sense given that Snowflake itself was not breached, but the database company's customer tenants were. Their recommended type list shouldn’t be too surprising. Still, it was a hell of a time for folks to even hop on the 2FA bandwagon. Now, we have to discuss FIDO2 and authentication apps as the new standard, so I imagine that adoption curve will take a long time.
Bypassing noexec and executing arbitrary binaries by Messede Degod
This is a writeup for a neat fileless execution technique on Linux systems. It assumes you have access to a target system. Still, you are essentially jailed into a read-only or noexec filesystem. With some clever Bash tracks, you can make a syscall directly from Bash and pipe an executable into its address space. Degod posts a 1-liner on doing this, but luckily gives a breakdown of the command in 8 simple steps!
Essentially, there are three commands: create a file descriptor in the currently running process, create the file descriptor, and an obfuscated way to download the remote binary: fork and wait, copy the binary over, and overwrite the .text segment inside Bash with the shellcode. Voila, execution! Degod provides some Perl and PHP versions towards the end as well.
Palo Alto Expedition: From N-Day to Full Compromise by Zach Hanley
Password-reset-as-a-service vulnerability strikes again, this time with Palo Alto Networks Expedition. It’s as bad as it sounds: hit a publicly available endpoint and reset the admin user password to paloalto
. Lol.
Hanley took this CVE as a challenge and moved deeper into Expedition source code, using grep as one of the first super hax0r elite tools! I love posts like this because they can give a peak into the methodologies behind vulnerability research, and many of these methodologies go hand in hand with detection engineering. Hanley found 3 other vulnerabilities for RCE and post-exploitation, so nice work there.
🎙️ Detection Engineering Media
This podcast focuses on a recent UN report on the use of Telegram in organized crime. Note I didn't just say cybercrime, but criminals in general. It's sad, and the amount of money flowing through Telegram as a platform is astonishing.
Jon DiMaggio joins Click Here for a short but sweet episode on the "Guarantor" system in the cybercriminal underground. The TL;dr is that reputation matters when you want to operate in the criminal underground. A crude but effective example is criminals buying drugs from a reliable source and not a scammer or someone who dangerously "cuts" the drugs with other illicit substances. The same thing happens on forums like Exploit and XSS, and DiMaggio visits an example with Lockbitsupp on how they got kicked out of the trusted circles.
☣️ Threat Landscape
Influence and cyber operations: an update (PDF) by OpenAI
OpenAI's quarterly threat report just dropped, and the focus of this report revolves around AI-generated content for disrupting elections. Leveraging LLMs to generate social media comments, and to fan the flames in public conversations is a very effective use of the OpenAI tools. To no one's surprise, X is a big beneficiary of this type of content, but luckily the folks at OpenAI are catching these actors and disrupting them along the way.
Ukrainian National Pleads Guilty to “Raccoon Infostealer” Cybercrime by U.S. Department of Justice
Raccoon Infostealer author Mark Sokolovsky pleaded guilty to his role in developing and distributing the malware strain. It's cool seeing the name-and-shaming of these malware authors, and I find it hilarious that they get picked up in beautiful countries like Italy. I wonder if Mark was on vacation when he got nabbed.
Unit 42 researchers give updates on the latest shenanigans with North Korean-aligned threat actors, this time with a focus on Contagious Interview. This is a wild concept to me - you are a resource-strapped, fascist country that is sanctioned throughout the world, and so you need a way to fund the government and essentially keep the country alive. So you do, as any logical group in that situation does, target crypto developers and funnel their wallet contents back to their mother country.
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA by Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes
Publicly-accessible PHP frontends on endpoint devices, what could go wrong? Fortinet researchers discovered two unknown 0-days affecting Ivanti CSA's frontend software while on an IR engagement. The team found two vulnerabilities, one path-traversal, and one command injection vulnerability, leading to a payload to extract database credentials and backup files.
Some other clever and funny parts in this post are abusing the command injection vulnerability via a call to tripwire and the threat actor patching the system to avoid additional compromises so they can be the king of the castle.
🔗 Open Source
dll-proxy-generator by namazso
Takes an arbitrary DLL and generates a proxy, user-defined DLL. Probably useful for trampolining between functions on a vulnerable DLL.
pwnlook by amjcyber
Post-exploitation toolkit for an Outlook desktop application. For whenever you land on an on-prem host not connected to M365, you can use this to list all kinds of fun stuff in a target inbox and exfiltrate download attachments.
memexec by hackerschoice
GitHub repo for the memexec bash trickery I listed above in State of the Art. Perl, bash and PHP versions are available.
CSPTPlayground by doyensec
Client-side path traversal is a way to manipulate file paths for client applications that can allow information disclosure, XSS and CSRF. This is a “GOAT” label of sorts, where you can play with a vulnerable application and try different flavors of this vulnerability on an easy to use docker container.