Detection Engineering Weekly #14 - Find the hackers fast, a haiku!
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue #14 of Detection Engineering Weekly!
This week’s recap:
A poetic email feature #7 by Sean Cassidy
💎 from Jack Naglieri who surveyed 20+ security leaders for lessons on Detection & Response
Criminal infrastructure tracking by BushidoToken and the folks at Team Cymru
The DFIR Report drops their 2022 in review
From intel471, malvertising is back and better than ever, oh god no oh please no
Explain Detection Engineering to your CEO: Feature #7 - Sean Cassidy
Social links: Twitter
Alright, if I ever get this newsletter to stay around for three years, I’ll get this tattooed somewhere on my body. I couldn’t stop laughing at Sean’s profile picture juxtaposed with his haiku, so I centered it to really make sure the negative space brought my readers into a sense of comfort and wonderment as they pondered the pithiness of his submission.
Anyways, as my good friend once told me: when you write, treat every word as if it costs you money. That means writing succinctly and to the point, and what’s more to the point than this beautiful poem? Thank you, Sean; I needed the laugh this week!
💎 Detection Engineering Gem 💎
Five Lessons From Detection & Response Leaders by Jack Naglieri
In the same vein as my post from Red Canary’s Todd Gaiser last week, you get to read some lessons learned from 20+ leaders in the Detection space. I sometimes catch myself looking at a problem that has been faced before and say “this has probably been solved/not solved, but I’m different and will do something unique!” Is it ego? Yup. As I’ve progressed in my career, though, I like to read back on posts like this and think of them as cheat codes to accelerate my organization’s growth rather than challenges we must solve. My favorite quote:
If alerts are not actionable, they are just noise!
State of the Art
Google Cloud Platform Exfiltration: A Threat Hunting Guide by Veronica Marinov
Cloud-based exfiltration is fascinating. At first, you don’t realize how powerful “the cloud” has gotten in terms of it’s usability. When I think of exfiltration, I think of docs, source code, etc. But how about whole virtual machines, buckets, or images? Marinov dives deep into different techniques to achieve exfiltration, provides detection opportunities, and even discloses the lack of telemetry to Google, who promptly responded.
The link between risk scenarios and detection use cases by Niall McElroy
Risk scenarios are a critical input into the detection engineering backlog. They should sufficiently describe a business risk, and then the detection team can translate the risk into detection opportunities. McElroy makes a good point in this post that if you start with covering all of MITRE ATT&CK first, you will take on a massive bottom-up approach to detection coverage, which may not map to actual risk. Start with the business needs first!
Total Identity Compromise: DART lessons on securing Active Directory - Microsoft Community Hub by Matt Zorich
Zorich uses several real-world incidents from the Microsoft DART team to highlight frequently encountered weaknesses in on-prem Active Directory. “The basics”, such as weak passwords or insecure account configurations, are still an issue for many Microsoft customers. You can pick your proverbial poison in this post to start building your Windows backlog!
Debating SIEM in 2023, Part 1 by Anton Chuvakin
SIEMs are dead - long live SIEMs! No, but seriously, are data lakes SIEMs? Or are log analysis pipelines SIEMs? Does a duck quack? We’ve seen the evolution of SIEM for the last 20 years, and we are now entering a new stage of its life: graduating from awkward teenager or poor post-grad to a semi-responsible 30-something who only has a few drinks instead of many because they have work tomorrow :).
Advanced KQL for Threat Hunting: Window Functions — Part 2 by Mehmet Ergene
If you haven’t seen Ergene’s KQL Threat Hunting Part 1 in one of my previous issues, go read it! KQL is a secret weapon within Azure that I don’t see much research or posts on, so I’m glad they are covering it in more detail. In this post, Ergene compares sliding window counts vs. binning regarding anomaly detection.
Tips for Investigating Cybercrime Infrastructure by BushidoToken
One of my favorite researchers, BushidoToken, puts Joe Slowik’s blog (and previous 💎) on network indicators as composite objects to the test. Mapping criminal infrastructure is a fascinating field of research, and many of the tools you need to do it are all either open-source or have a freemium option. Knowing how criminal infrastructure operates can also increase your detection efficacy!
Detection Engineering on Social Media
I’m playing around with linking some interesting discussions and/or threads on social media related to the state of the art. Let me know what you think!
Threat Landscape
The VulnCheck 2022 Exploited Vulnerability Report - A Year Long Review of the CISA KEV Catalog by Jacob Baines
If you aren’t using CISA’s KEV catalog for prioritizing detection work, especially on exposed services, you should. This post looks at CISA’s activity in 2022 and nearly TRIPLING the amount of known exploited vulnerabilities in the wild. According to VulnCheck, 22% (around 120) of the newly added vulnerabilities were linked to ransomware.
2022 Year in Review by The DFIR Report
A comprehensive report on all of the incidents that members of The DFIR Report worked on. I particularly liked the visualizations they used when traversing certain Tactics/Techniques and mapped to malware families. I almost never want to start with a malware family first when creating detections: much like the business risk scenarios link listed previously, you start with a Tactic then traverse down to Techniques until you hit a known incident from a malware family.
FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy by U.S. White House
The Biden-Harris cyber strategy announcement has been the talk of the town this past week. I am the giddiest about #2 under Approach, “Disrupt and Dismantle Threat Actors.” Specifically, “Engaging the private sector in disruption activities through scalable mechanisms,” so I can’t wait to become cyber batman with a USA cape swooping in to take down oligarchs.
Malvertising Surges to Distribute Malware by intel471
The “intense and unexpected” resurgence of malvertising, as intel471 has put it, has made the usual loader and initial access malware like IcedID particularly effective. I hope the recent layoffs at Google did not affect their ads abuse team. Intel471 notes this is an excellent technique because you can capture the exact audience you want to infect. So, thanks, Google?
Desde Chile con Malware (From Chile with Malware) by S2 Research Team
Another great example of tracking criminal infrastructure, this time by Team Cymru. I hope you notice the similarities in pivoting techniques highlighted by BushidoToken earlier. Notice how there are overlaps between C2 infra, connecting IPs, and domains and netblocks associated with ransomware.
Bumblebee DocuSign Campaign by 0xToxin Labs
A complete investigation from an initial lure impersonating DocuSign to a Vidar infection. The author writes a decryptor on the sample to make it easier to analyze and ends with a Yara rule.
NVD makes up vulnerability severity levels | daniel.haxx.se
Hilarious but serious post on the failures of the CVE/CVSS system. You know it’s good when they have a section titled “CVSS is a shitty system.”
Open Source
Decider by CISA
I can’t decide anything. What to wear, where to eat or even a third thing to write about my indecision. That’s why when I see a project like Decider, I get warm and fuzzy inside because it makes it easier for me to go about my day!
In all seriousness, this is a great contribution by the CISA team, as memorizing adversary behaviors amongst the vastness of MITRE ATT&CK is becoming a burden. So, by answering a few simple questions, let Decider decide the behavior for you!
Introducing Exphash: Identifying Malicious DLLs With Export Hashing by lloydlabs
If you like imphash, exphash has the same approach to finding similarities within malicious files. The ordinality of exports is computed using this methodology and can be used to identify new samples.
vidar_config by NexusFuzzy
At first I thought this was a config extractor for binaries on a system, but much like the Cobalt Strike config extractor, you can use this to connect to a Vidar C2 and glean more intelligence from the server.
plague by QueenSquishy
Interesting list of initial attacks to test against EDRs when you are testing them out before you buy, or just after you buy. Based on this post by Goblin Loot.
ChopChopGo by M00NLIG7
A Chainsaw-inspired Linux forensics tool to quickly parse system logs to find evidence of compromise. There are 100s of rules in here that check everything from auditd, file events and network connections.