Det. Eng. Weekly #93 - Does a tangodown 3-peat count after a week off?
I take a week off publishing and a ransomware operator gets arrested, coincidence?
Welcome to Issue #93 of Detection Engineering Weekly!
See you at AWS re:Invent?
I’m glad to be back in the saddle writing for you all! I have a crazy schedule coming up in the next few weeks prepping a talk for AWS re:Invent. If you want to sign up for my session with my colleague Andrew Krug, check out our session details here. If you are attending, I’ll be hanging out around the Datadog booth and taking the slides around the casino, and if you happen to catch me I’ll have Detection Engineering Weekly stickers!
🦋 I’m on BlueSky (and other socials)
I just made a BlueSky profile with a Detection Engineering starter pack. Come join me and other infosec professionals migrating over!
BlueSky: https://bsky.app/profile/techy.detectionengineering.net
Twitter/X: https://twitter.com/techyteachme
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
Creating Resilient Detections by Andrew VanVleet
If I were to ask you to prove the resiliency of your detection rules, how would you answer? I think some people would have an answer along the lines of precision vs. recall or brittle vs broad:
The reason is that precise or "Brittle" detections catch something specific, such as a Kerberoasting technique, but they may fail to detect the same technique outside of what you configure. But we live in a bubble in the threat world. SRE/software engineering folks have dealt with resiliency for years: "A resilient system is one that can keep functioning in the face of adversity."
In this post, VanVleet addresses the topic of detection resiliency from a pure software engineering perspective. If your pipeline of rules, logging, and querying faces adversity, can your system deal with it? He gives two excellent examples of resiliency problems for SIEMs: a delayed log ingest that causes a query to miss the time window, and an upstream failure on API services for querying for enrichment, causes the whole query to fail. Remember that SIEMs aren't unique and can fail like any other software application, so build resiliency from the start!
🔬 State of the Art
Anton’s Alert Fatigue: The Study by Anton Chuvakin
Fatigue and burnout are hot topics among security practitioners. Too much work, too little tooling, and high-pressure decision-making create chaos that can quickly burn a brand-new analyst out. So what can we do? Anton tries to answer this question by creating a model around what kind of fatigue plagues SecOps practices.
Much of this boils down to alert labeling issues, and Anton points this out. We tend to think of this as a binary classification problem: is this alert a real incident (True Positive) or not (False Positive)? It's more nuanced than that. It comes down to the cost of visibility and the cost of work.
Everyone's favorite example is impossible to travel detections, which Anton addresses in his section on enriched alerts. Do you want impossible travel detections? Yes, probably. Do you want to triage every impossible travel alert? Hell no. Instead, enrich: add threat intelligence context on top of the IP address, or even better, send a Slack message to the user with a 5-minute timer asking, "Is this you?".
Labeling then moves away from a binary prediction problem to a continuous prediction problem: Given the set of all contexts within an alert, what's the cost of triaging it with a human, and can we reduce that cost as much as possible?
How to create a Detection Engineering Lab — Part 1 & How to create a Detection Engineering Lab — Part 2 by Bastradamus
This is a great two-part post for anyone wanting to start their detection engineering lab using Docker and Digital Ocean. I love posts like these because they make breaking into our field that much easier for folks wanting to start their own detection journey. Part 1 focuses mostly on getting Digital Ocean and Docker set up for an Elastic Stack, and Part 2 is rolling out the Elastic Stack, a local Virtual Machine, and writing your first rule.
Hunting Malicious Shortcut (.LNK) Files Using the VirusTotal API by Manuel Arrieta
This is an extremely technical and precise post on hunting for detection opportunities inside Shortcut/.LNK files on Windows. Arrieta begins their threat hunt with a hypothesis: finding LNK files on VirusTotal with AV hits that are used to access the network. Should Windows shortcuts access the network? The answer is hell no, and the next sections of their post show why :D.
Arrieta aggregated the Target field from the properties of the LNK file and used that to quickly identify LNK files using executables in a living-off-the-land way. After processing these targets and the arguments from the binaries, you can clearly see some opportunities to threat hunt and create rules from the analysis.
ETW Forensics - Why use Event Tracing for Windows over EventLog? by 朝長 秀誠 (Shusei Tomonaga)
Windows has tons of options for security logging and alerting. Still, Event Tracing for Windows (ETW) remains one of the best out-of-the-box ways to detect and respond. In this post, Tomonaga details the architecture behind ETW, providing useful screenshots and examples of accessing ETW configurations on a Windows machine. One helpful tidbit is that some ETW logs never get saved to disk. Windows stores them in an internal buffer, so if you are doing Incident Response and lack logging, you can access this buffer to retrieve forensic data.
🎙️ Detection Engineering Media
The last three weeks of episodes from this podcast have been bangers . :)I particularly liked this episode and the subsequent one on Sophos Kernel Implants because they presented an ethical dilemma in the security tooling space: when you know someone malicious has your tooling, should you go on the offensive and learn more about them?
Although this podcast happened on November 3, it should be canon in the EDR vendor and detection product space. Is it within your right as a vendor to collect information on a suspected APT using your product?
Jack speaks to the co-founder of an Incident Response app that started out as a side project at Instacart and is now a full-blown product. I love the similarities Jack and JJ Tang draw between SRE and SecOps incident response. It shows that security practitioner's issues don't exist only in our bubble, and we can leverage that knowledge to bring things we like other fields doing into our space.
☣️ Threat Landscape
Phobos Ransomware Administrator Extradited from South Korea to Face Cybercrime Charges by U.S. Department of Justice
The alleged administrator of Phobos Ransomware was picked up by authorities in South Korea and extradited to the U.S. According to the FBI, Phobos hit close to 1,000 entities across the world and extorted more than 16 million dollars from victims. Another win for the threat research and detection community!
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) by Palo Alto Networks
Where have you heard this type of vulnerability before?
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474
Edge network device vendors give defenders and APT jobs alike!
Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack by Unit42
Can you trust Sanctioned remote IT workers to work well for your company? Maybe, as long as they sign in on time, complete their tickets, and sign off, right? Well, according to Unit42, the same cluster of IT workers now drops malware in an escalation of TTPs from the "Wagemole" cluster linked two weeks ago in this newsletter.
4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability by István Márton
When I think of supply chain software security, I mostly focus on third-party vendor security (a la SolarWinds) or the open-source ecosystem for package managers like NPM or Python. It's easy to forget that one of the most broadly used technologies for websites in the world, WordPress, has a whole ecosystem in itself and all kinds of security problems. In this post, Márton discloses a critical CVE in a very popular TLS plugin for WordPress that led to full administrative access to websites running the plugin.
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector by Crowdstrike Counter Adversary Operations
There is a lot more news coming out of big shops like Crowdstrike on Chinese-nexus threat actors targeting Telecom companies. Crowdstrike wrote about LIMINAL PANDA in October 2021, and it looks like they updated the original blog post with the new attribution upgrade. I recommend reading the original post, as it contains IOCs and TTPs.
🔗 Open Source
hyperlight by hyperlight-dev
A new (as in, the last two weeks) virtual machine manager that you can embed in applications. It runs on both Windows and Linux. It seems to be super performant and would be great for building security tooling that runs untrusted code, like a malware sandbox!
TokenCert by nettitude
C# tool that generates a network token to evade Microsoft Defender for Identity. Based on this research from Synacktiv, which basically finds a way around Kerberos Authenticating using PKINIT. The Synacktiv researchers bypassed this detection, but nettitude built upon their work and found an interesting way of using internal Windows syscalls to perform PKINIT based auth and not trip detections.
DNS C2 Spec #418 by its-a-feature/Mythic
I’m enjoying diving into discussion topics on GitHub lately and this particular topic from MythicC2 is around using DNS as a C2 channel. You find all kinds of detection opportunities from red teamers, for example, one participant wrote:
A lot of dns servers (e.g 8.8.8.8) randomize the case of dns queries to purposefully break dns tunnels using base64. An option to use base32 (case insensitive) instead is a must have
Malcrow by Babyhamsta
Malcrow leverages some clever cyber deception tradecraft to trick malware into thinking it's in a malware analysis environment. Analysis environments spend a lot of time looking like a real victim computer. In contrast, Malcrow abuses the fact that malware looks for artifacts of analysis environments and will protect your host by pretending to be an analysis environment.