Detection Engineering Weekly #13 - Shame, shame, shame!

Last week's news and how-tos in the art and science of Detection Engineering

Zack 'techy' Allen

Mar 1

Welcome to Issue 13 of Detection Engineering Weekly!

This week’s recap:

Email feature #6 to your CEO about Detection Engineering by my good friend Kirk Pinto
Being aspirational can keep you honest, according to our Detection Gem author, Todd Gaiser
Shaming can be a good thing, as long as it’s against companies and code, by the excellent folks at Brex
Are threat hunting and detection engineering the same, different, or a bit of both?
LastPass security incident updates, and it’s freaky

Explain Detection Engineering to your CEO: Feature #6 -

Social links: Twitter

This is the first time I’ve seen someone describe detection engineering as it relates to development teams rather than other parts of the business that a CEO knows. In a modern business environment, IT and dev are the lifeblood of a company, so a CEO could be intimately familiar with these functions. This showcases how a good leader can adapt their communication style based on the background and context of the company and the CEO that runs it.

💎 Detection Engineering Gem 💎

Detection Engineering: Setting Objectives and Scaling for Growth by Todd Gaiser

I am going to take a guess: many of the readers of this newsletter are not in an optimized detection engineering program. That’s okay, that’s why we are all here, but this begs the question: how do you get there if you want to create a mature detection engineering organization? Well, this gem gives some great insights from a senior leader in the space. I am a HUGE fan of Red Canary’s work, and this post shows how a leader entered an already-established team’s day-to-day, made observations and created a framework to align and pursue. My favorite quote from Step 5, “Announce, Communicate and Track”

Organizations are full of bright people that may be able to look at a problem in a different way and offer ideas that could have a huge impact, but often times we’re too tied up in our day-to-day to think about these harder problems. Showcasing your work at a broader level creates an interrupt where this feedback is more likely to come your way. Holding yourself and your team accountable for the big, aspirational goals you’ve set through this process keeps the objectives fresh and front of mind. It also serves as an internal interrupt, pulling your team out of the daily grind and forcing each team member to consider the projects and initiatives that will eventually make life easier for everyone.

State of the Art

Audit Log Wall of Shame by Daniel Stinson-Dies and Julie Agnes Sparks

And it’s live! Stinson-Dies and Sparks, both featured in this newsletter several times, created a project that “grades” company’s audit logs implementation. Audit logs are a necessity in the age of SaaS-based platforms, and it’s great to see one space that collects and rates them based on accessibility, usefulness and known issues.

Anomaly detection and Explanation with Isolation Forest and SHAP using Microsoft Sentinel Notebooks by Ashwin Patil

Spoiler alert, this is very technical on the machine learning and statistics front, but I promise it is worth the read. As much as all of us like to see amazing AI applications like ChatGPT or DALL-E, there are workhorse algorithms that just “work”. One of these algorithms is an isolation forest, which can be used for anomaly detection. The blog details how to use out-of-the-box tools in Microsoft Azure to find anomalous login events inside an Azure environment, which could be an account takeover.

Container security fundamentals: Exploring containers as processes by Rory McCune

Note: my employer is Datadog

Containers will be part of any modern company’s workflow and will be a mainstay for companies catching up in a few years. In this post, McCune demystifies containers by showing they are essentially Linux processes and how you can interact with containers with standard Linux binaries and tools. It’s a post of a whole series, and I am always impressed with how Rory organizes his work, so it is easy to understand.

Shodan Dorks - The God’s Eye by Jerry Shah

Great introductory post for readers who want to familiarize themselves with Shodan. I use Shodan primarily to ~~build a botnet to mine dogecoin~~ map attacker infrastructure, find vulnerable devices, and unmask interesting services that you think would not be listening on the internet. My favorite Shodan pivot is http.favicon.hash.

The dotted lines between Threat Hunting and Detection Engineering by Alex Teixeira

Teixeira came out swinging with a banger of a post this week on comparing and contrasting Threat Hunting with Detection Engineering. This was discussed in multiple Slacks and Twitterspheres that I lurk. Both of these roles have overlapping responsibilities and playbooks, and as Prager pointed out in their post on detection backlogs, hunting can serve as an input to detection engineering. Data analysis seems to be the common skill set between the two, and as I’ve said before, statistics plays a massive role in security, and this is no exception.

Incident handling with Splunk — [Writeup] — by Ramazan Salman

I sometimes stumble upon blogs from new writers that really impress me. I am a big fan of posts that follow an incident across the kill-chain/incident response lifecycle/MITRE ATT&CK gamut. In this post, Salman moves through a TryHackMe challenge using Splunk, and explains the thought process behind the pivots and decision-making process along the way.

Detection Engineering on Social Media

John Von Rader @helvetehansen

@_josehelps @Medium I guess I’ve usually thought of this as an active-passive difference. A Detection Engineer is either writing for hygiene - writing or editing detections based on the sources in their environment in more of an admin capacity. The missing element - the SOC/IR responds. 1/2

Florian Roth ⚡ @cyb3rops

Once s/o who worked with me in OffSec back in the 2000s asked me when I became so fierce & serious about DefSec It took me some time to reflect on it, but I think it was when I saw an adult man cry out of despair & existential fear in an IR case These things change you forever https://t.co/x0QlUfRt6Z

Threat Landscape

Bumblebee Malware Distributed via WeTransfer or Smash by zvelo

Bumblebee, or EXOTIC LILY, according to Google TAG, is being distributed via sales contact forms. Imagine your sales team getting a “contact me” form filled out with an attachment that infects their computer. The threat actors then load the malware into WeTransfer or Smash, so when your sales team clicks the link, they download and run the malware.

Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1 by Sekoia Threat & Detection Research Team

There are three guaranteed things in life: death, taxes, and malware authors rebranding malware strains. This Vidar clone first popped up on criminal underground forums by a known malware author and has all the usual functionality of stealers. Watch out for your crypto wallets!

Technical Analysis of Rhadamanthys Obfuscation Techniques by Nikolaos Pantazopoulos

Another infostealer, Rhadamanthys has a unique anti-analysis technique that uses a virtual machine based on Quake 3 to protect its code. A loader is executed, which then downloads a main module, and this stealer primarily targets Keepass users.

A tale of Phobos - how we almost cracked a ransomware using CUDA by Jarosław Jedynak and Michał Praszmo

A unique post by the folks at Cert-PL where they tried to use CUDA to crack Phobos, and failed. After two years of trying to crack the ransomware and attempting it on a real victim, the authors published their results anyway. As the Mythbusters say: “failure is always an option!”

Incident 2 – Additional details of the attack by LastPass

Oof. The LastPass team released more details on Incident #2, and it looks like the threat actor targeted a DevOps engineer home machine to pivot and retrieve the keys to the kingdom. Read the following link for more details on how LastPass could have protected itself further.

It’s All Bad News: An update on how the Lastpass breach affects Lastpass SSO by Chaim Sanders

My good friend, Professor Sanders, gives a detailed breakdown of the LastPass breach but talks explicitly about the cryptographic threat model of the company. You should definitely read this if you want to know how crypto-based defense in depth works.

U.S. Marshals Service investigating ransomware attack, data theft by Sergiu Gatlan

First FBI, now US Marshals? Bad month for the US Government. Looks like the machine that was compromised resulted in the exfiltration of employee data. These attacks scare me because there is a lot of data related to current investigations and sources on these networks, so I hope that nothing _too much_ of value was stolen.

Open Source

STARS by Macmod

An all-in-one tool to identify dangling CNAME records ripe for DNS takeover. You can authenticate with your cloud provider credentials and scan your infra.

Gruyere by savannahostrowski

An aesthetically pleasing Golang tool using charm to help you view and kill processes that have open network ports.

sherl0ck by pronssec

Have a directory full of eml files? Do you want to search for a specific word in 100 languages across the emails? Why not search using sherl0ck? I can’t find a reason why I would have that many eml files stored locally, but you never know :)

Awesome Security Newsletters by TalEliyahu

Did you know there are other security newsletters besides Detection Engineering Weekly? I know, crazy right? Well, this open-source list of newsletters has all the heavy hitters and up-and-comers.