Detection Engineering

Share this post

Detection Engineering Weekly #12 - Don't use ChatGPT to email your CEO

www.detectionengineering.net

Detection Engineering Weekly #12 - Don't use ChatGPT to email your CEO

Last week's news and how-tos in the art and science of Detection Engineering

Zack 'techy' Allen
Feb 22
2
Share this post

Detection Engineering Weekly #12 - Don't use ChatGPT to email your CEO

www.detectionengineering.net

Welcome to Issue 12 of Detection Engineering Weekly!

This week’s recap:

  • ChatGPT tries to describe Detection Engineering to a CEO and doesn’t follow instructions

  • A gem on writing actionable alerts Daniel Wyleczuk-Stern

  • MITRE ATT&CK backlog updates Amy L. Robertson

  • PIRs are awesome but don’t use them if you are in private industry

  • Threat Hunting vs. Detection Engineering: the same role, or different?

  • I added some tweets to some good discussions on detection topics

Detection Engineering is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Explain Detection Engineering to your CEO: Feature #5 -

Social links: Just Google it, and you’ll find it!

Okay, whoever submitted this prompt to ChatGPT, it failed! This is more than five sentences, and we all know CEOs won’t read more than five in an email. One description of Detection Engineering I haven’t seen, though, is the benefits of “enhanced compliance” and making it easier to demonstrate to auditors. So I guess I’ll give ChatGPT a pass here.


💎 Detection Engineering Gem 💎

How to write an actionable alert by Daniel Wyleczuk-Stern

I hope OG readers go through this post and see concepts from previous gems and posts everywhere! The four tenets presented by Wyleczuk-Stern can be immediately used in standing up a detection program. They also can serve as a style-guide for rules when you are trying to ship them to prod, if your alerts are not: immediately actionable, automatically enriched, well prioritized, and grouped/correlated, they should not go and be used by analysts.


State of the Art

How to Solve the Mystery of Cloud Defense in Depth? by Anton Chuvakin

How do you define defense-in-depth? Is it a buzzword, is it conceptual, or is it achievable? In this post, Chuvakin explores three definitions of the concept and tries to answer this same question with a cloud twist. I think threat detection can help support an organization’s strategy for defense-in-depth, and if you read the previous newsletter, I think telemetry layering fits that bill nicely.


Threat Hunting: Detection based on Prevalence by Alpine Security

A great primer on prevalence-based threat detection. If you are not familiar, a quick example could be hunting for suspicious binaries that you’ve never seen before in a time window. This post uses rare binaries as an example and uses the out-of-the-box functionality of MDATP to achieve it.


Defining the intelligence requirements — what does the CTI community know about the process? by Ondra Rojčík

Creating intelligence requirements should be the first thing any CTI team does before doing any work. I’m a big believer in intelligence requirements, but there is a problem: it is not for the faint of heart. You must talk to many stakeholders, from CEOs, IT, marketing, and your finance department. Rojčík highlights this in their post, and you’ll notice that there is some detection engineering sprinkled in!


The Death of Private Sector Priority Intelligence Requirements by Levi Gundert and Stu Solomon

Alright, you know how I said that intelligence requirements are the first thing you should do? I also said it is not for the faint of heart. This post describes why. Gundert and Solomon recommend an alternative, lightweight process that may make it a bit easier to get started with intelligence analysis and detection opportunities.


2023: A Selection of Cybersecurity Threat Reports by Jennifer Wennekers

Great amalgamation of threat reports already released in 2023, and will be updated throughout the year. Wennekers gives a few tips and tricks about staying focused and intentional when reading reports. Is it actually related to your company’s vertical, stack or area of operations? Probably not worth your time.


2023 ATT&CK Roadmap by Amy L. Robertson

Exciting roadmap update from the ATT&CK team. I’m glad to see Linux is getting a bit more love, and Robertson notes that its an underreported operating environment. Relevant to detection engineering: the ATT&CK team will be adding more recommended data sources for telemetry to detect some of these techniques!


Threat Hunting Series: Detection Engineering VS Threat Hunting by Kostas

I enjoyed this compare/contrast analysis of Detection Engineering and Threat Hunting. They are definitely not the same thing, but if you’ve read Prager and Leady’s Prioritization of the Detection Engineering Backlog post, threat hunting is an input to detection engineering. I do think that Detection Engineers can do threat hunting and vice versa, but it really depends on your organization’s temperature on where you put your time.


Detection Engineering on Social Media

I’m playing around with linking some interesting discussions and/or threads on social media related to the state of the art. Let me know what you think!

Twitter avatar for @ateixei
Alex Teixeira @ateixei
Endpoint telemetry is no joke but perhaps one of the most important decisions you will make as a leader #EDR #XDR https://t.co/Q13pBxIe7u
Image
10:38 AM ∙ Feb 16, 2023
57Likes7Retweets
Twitter avatar for @anton_chuvakin
Dr. Anton Chuvakin @anton_chuvakin
I love detection engineering, I think it is awesome and hugely needed, and its the future and all that. But I have no idea how to talk about it to a team of 1 (ONE) running a SIEM ...
7:30 PM ∙ Feb 16, 2023
265Likes16Retweets
Twitter avatar for @techyteachme
Zack Allen @techyteachme
(1/7) Detection can learn a lot from the efforts of statistics. I've talked a lot about how detection engineering is a 3 legged stool: software eng, threat detection, and statistics. There's so much more to measuring accuracy than # of true/false positives.
7:20 PM ∙ Feb 17, 2023
50Likes7Retweets

Threat Landscape

Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor by Symantec Threat Hunter Team

I’ve talked about webserver modules in this newsletter before, but injecting malicious code into an out-of-the-box module is impressive. This threat actor found a function pointer within a “Failed Request Tracking” feature within IIS, and this is called with _every_ request, so why not do some malicious module magic without installing a module?


Qakbot Being Distributed via OneNote by muhan

I hate Qakbot/QBot. It’s really good at what it does, has enabled hundreds of intrusions that led to ransomware, and the devs tend to update TTPs as fast as security news comes out. Now, it abuses OneNote, and it’s doing a great job at doing it.

Grammarly wants me to be a bit nicer to Qakbot

Atlassian and Envoy briefly blame each other for data breach by Carly Page, Zack Whittaker

I love me some inter-company drama. Apparently, Atlassian went on the record and blamed a vendor, Envoy, for their breach. Envoy fires back, saying they weren’t aware of any 3rd party breach and that Atlassian was owned of their own volition. This smells like a phishing/vishing attack, and according to TechCrunch, an employee’s credentials were used to breach the Australian tech company.


Statement on recent website redirect issues by GoDaddy

Celebrities die in threes, and as of this week, tech companies get breached in threes. GoDaddy released a small press release on a security incident that found a threat actor had access to internal cPanel configurations, which allowed them to redirect customers to other malicious websites.


Fortinet PSIRT Advisory: 40 Vulnerabilities Patched by FortiGuard Labs

Celebrities die in threes, Fortinet releases vulnerabilities in the 40s. The latest known exploited vulnerability in Fortinet was in December, and if I were a bettin’ man, one of these would probably make the list.


Social Engineering - A Coinbase Case Study by Jeff Lunglhofer

Excellent post-mortem of a phishing and social engineering based security incident by the Coinbase team. SMS-based phishing link, MFA blocked initial access, but the actors, hinted at by Coinbase as 0ktapus, called the employee to get the code. Lunglhofer puts some vulnerability (and not the computer kind) in this post, my favorite quote here:

I would like to say this is just a training problem. That customers, employees and people everywhere  need to be better trained. They need to do better - there will always be some truth to that. But as cybersecurity professionals, that can’t be the solution excuse we reach for every time this happens.


Open Source

Ghidra Golf by OUSD R&E

Ghidra Golf is a CTF-style reverse engineering challenge that uses features of Ghidra, such as Ghidra scripts, to submit flags. I played this for at least 10 hours at Shmoocon, and I had a blast.


DetectRaptor by mgreen27

New repo by mgreen27 with some publicly available Velociraptor detections.


Grove by Hashicorp Forge

Interesting log collection tooling framework by the Hashicorp team that focuses on log streaming audit logs from sources that do not support log streaming. It has dozens of integrations with some business-critical apps, so I suggest checking this out!


AWS Break Glass Role by AWS Labs

I’ve always liked the concept of break-glass commands and accounts, and if implemented correctly, it can give your organization an “oh sh**” button. You can write rules for when the role is assumed and hyper-focus on the security controls of users who can assume the role.


Mihari v5.0.0 Release by ninoseki

Major 5.0 release for Mihari! This tool is excellent at integrating a bunch of open-source/free adversary infrastructure tracking websites and tools. I’ve said how much I love ninoseki’s work in previous newsletters, this one does not disappoint!

Share this post

Detection Engineering Weekly #12 - Don't use ChatGPT to email your CEO

www.detectionengineering.net
Comments
TopNew

No posts

Ready for more?

© 2023 Zack 'techy' Allen
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing