Detection Engineering Weekly #12 - Don't use ChatGPT to email your CEO
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue 12 of Detection Engineering Weekly!
This week’s recap:
ChatGPT tries to describe Detection Engineering to a CEO and doesn’t follow instructions
A gem on writing actionable alerts Daniel Wyleczuk-Stern
MITRE ATT&CK backlog updates Amy L. Robertson
PIRs are awesome but don’t use them if you are in private industry
Threat Hunting vs. Detection Engineering: the same role, or different?
I added some tweets to some good discussions on detection topics
Explain Detection Engineering to your CEO: Feature #5 -
Social links: Just Google it, and you’ll find it!
Okay, whoever submitted this prompt to ChatGPT, it failed! This is more than five sentences, and we all know CEOs won’t read more than five in an email. One description of Detection Engineering I haven’t seen, though, is the benefits of “enhanced compliance” and making it easier to demonstrate to auditors. So I guess I’ll give ChatGPT a pass here.
💎 Detection Engineering Gem 💎
How to write an actionable alert by Daniel Wyleczuk-Stern
I hope OG readers go through this post and see concepts from previous gems and posts everywhere! The four tenets presented by Wyleczuk-Stern can be immediately used in standing up a detection program. They also can serve as a style-guide for rules when you are trying to ship them to prod, if your alerts are not: immediately actionable, automatically enriched, well prioritized, and grouped/correlated, they should not go and be used by analysts.
State of the Art
How to Solve the Mystery of Cloud Defense in Depth? by Anton Chuvakin
How do you define defense-in-depth? Is it a buzzword, is it conceptual, or is it achievable? In this post, Chuvakin explores three definitions of the concept and tries to answer this same question with a cloud twist. I think threat detection can help support an organization’s strategy for defense-in-depth, and if you read the previous newsletter, I think telemetry layering fits that bill nicely.
Threat Hunting: Detection based on Prevalence by Alpine Security
A great primer on prevalence-based threat detection. If you are not familiar, a quick example could be hunting for suspicious binaries that you’ve never seen before in a time window. This post uses rare binaries as an example and uses the out-of-the-box functionality of MDATP to achieve it.
Defining the intelligence requirements — what does the CTI community know about the process? by Ondra Rojčík
Creating intelligence requirements should be the first thing any CTI team does before doing any work. I’m a big believer in intelligence requirements, but there is a problem: it is not for the faint of heart. You must talk to many stakeholders, from CEOs, IT, marketing, and your finance department. Rojčík highlights this in their post, and you’ll notice that there is some detection engineering sprinkled in!
The Death of Private Sector Priority Intelligence Requirements by Levi Gundert and Stu Solomon
Alright, you know how I said that intelligence requirements are the first thing you should do? I also said it is not for the faint of heart. This post describes why. Gundert and Solomon recommend an alternative, lightweight process that may make it a bit easier to get started with intelligence analysis and detection opportunities.
2023: A Selection of Cybersecurity Threat Reports by Jennifer Wennekers
Great amalgamation of threat reports already released in 2023, and will be updated throughout the year. Wennekers gives a few tips and tricks about staying focused and intentional when reading reports. Is it actually related to your company’s vertical, stack or area of operations? Probably not worth your time.
2023 ATT&CK Roadmap by Amy L. Robertson
Exciting roadmap update from the ATT&CK team. I’m glad to see Linux is getting a bit more love, and Robertson notes that its an underreported operating environment. Relevant to detection engineering: the ATT&CK team will be adding more recommended data sources for telemetry to detect some of these techniques!
Threat Hunting Series: Detection Engineering VS Threat Hunting by Kostas
I enjoyed this compare/contrast analysis of Detection Engineering and Threat Hunting. They are definitely not the same thing, but if you’ve read Prager and Leady’s Prioritization of the Detection Engineering Backlog post, threat hunting is an input to detection engineering. I do think that Detection Engineers can do threat hunting and vice versa, but it really depends on your organization’s temperature on where you put your time.
Detection Engineering on Social Media
I’m playing around with linking some interesting discussions and/or threads on social media related to the state of the art. Let me know what you think!
Threat Landscape
Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor by Symantec Threat Hunter Team
I’ve talked about webserver modules in this newsletter before, but injecting malicious code into an out-of-the-box module is impressive. This threat actor found a function pointer within a “Failed Request Tracking” feature within IIS, and this is called with _every_ request, so why not do some malicious module magic without installing a module?
Qakbot Being Distributed via OneNote by muhan
I hate Qakbot/QBot. It’s really good at what it does, has enabled hundreds of intrusions that led to ransomware, and the devs tend to update TTPs as fast as security news comes out. Now, it abuses OneNote, and it’s doing a great job at doing it.
Atlassian and Envoy briefly blame each other for data breach by Carly Page, Zack Whittaker
I love me some inter-company drama. Apparently, Atlassian went on the record and blamed a vendor, Envoy, for their breach. Envoy fires back, saying they weren’t aware of any 3rd party breach and that Atlassian was owned of their own volition. This smells like a phishing/vishing attack, and according to TechCrunch, an employee’s credentials were used to breach the Australian tech company.
Statement on recent website redirect issues by GoDaddy
Celebrities die in threes, and as of this week, tech companies get breached in threes. GoDaddy released a small press release on a security incident that found a threat actor had access to internal cPanel configurations, which allowed them to redirect customers to other malicious websites.
Fortinet PSIRT Advisory: 40 Vulnerabilities Patched by FortiGuard Labs
Celebrities die in threes, Fortinet releases vulnerabilities in the 40s. The latest known exploited vulnerability in Fortinet was in December, and if I were a bettin’ man, one of these would probably make the list.
Social Engineering - A Coinbase Case Study by Jeff Lunglhofer
Excellent post-mortem of a phishing and social engineering based security incident by the Coinbase team. SMS-based phishing link, MFA blocked initial access, but the actors, hinted at by Coinbase as 0ktapus, called the employee to get the code. Lunglhofer puts some vulnerability (and not the computer kind) in this post, my favorite quote here:
I would like to say this is just a training problem. That customers, employees and people everywhere need to be better trained. They need to do better - there will always be some truth to that. But as cybersecurity professionals, that can’t be the solution excuse we reach for every time this happens.
Open Source
Ghidra Golf by OUSD R&E
Ghidra Golf is a CTF-style reverse engineering challenge that uses features of Ghidra, such as Ghidra scripts, to submit flags. I played this for at least 10 hours at Shmoocon, and I had a blast.
DetectRaptor by mgreen27
New repo by mgreen27 with some publicly available Velociraptor detections.
Grove by Hashicorp Forge
Interesting log collection tooling framework by the Hashicorp team that focuses on log streaming audit logs from sources that do not support log streaming. It has dozens of integrations with some business-critical apps, so I suggest checking this out!
AWS Break Glass Role by AWS Labs
I’ve always liked the concept of break-glass commands and accounts, and if implemented correctly, it can give your organization an “oh sh**” button. You can write rules for when the role is assumed and hyper-focus on the security controls of users who can assume the role.
Mihari v5.0.0 Release by ninoseki
Major 5.0 release for Mihari! This tool is excellent at integrating a bunch of open-source/free adversary infrastructure tracking websites and tools. I’ve said how much I love ninoseki’s work in previous newsletters, this one does not disappoint!