Detection Engineering Weekly #17 - D'ya like dags?
Last week's news and how-tos in the art and science of Detection Engineering
Welcome to Issue #17 of Detection Engineering Weekly!
This week’s recap:
💎 of a post on Netflix’s Snare platform
Hayabusa in action by Eric Capuano
How to scale a (detection) engineering org during a recession by José Caldeira
ChatGPT in the hotseat with a vulnerability, and EUROPOL sets it’s eyes on the implications of it’s use by the criminal underground
DNS is my favorite protocol, and Akamai Research found all kinds of neat stuff with it
AND a quick editor’s note:
I am approaching running out of detection engineering gems! To ensure I keep the quality of gems high, I will start limiting them to 1-2 issues per month. So be on the lookout for gems and send them to me at techy@detectionengineering.net or comment below!
Explain Detection Engineering to your CEO: Feature #9 - UNKNOWN!
Social links: None!
Yet another spooky non-attributed definition of Detection Engineering! This time, it takes a shot at the title of this newsletter (I mean, you clicked, right?), as well as encompassing what it means to run a complete security program rather than just jumping straight into building rules. I like how the author focused on prevention first to minimize the attack surface and then started looking at reducing risk through threat detection by minimizing impact.
💎 Detection Engineering Gem 💎
Snaring the Bad Folks by Alex Bainbridge, Mike Grima, Nick Siow
This post about Netflix’s Detection & Response platform is over a year old now, but still a gem in my book. I love reading about homegrown detection & response platforms at a scale of a company like Netflix. If you want to dive deep into the decision making process of creating a system that processes 10s of millions of logs every few minutes, and then decide if you want to roll your own or buy, this is a great reference blog. My favorite part of this blog post is using Amazon Step Functions as a SOAR-y response tool via DAGs. And no, not the Brad Pitt kind.
State of the Art
Find Threats in Event Logs with Hayabusa by Eric Capuano
A quick introduction and getting started with Hayabusa. I linked Hayabusa in a previous newsletter, and I love reading posts where the author helps set the reader up with a home lab to experiment with a tool in a few minutes. This post combines Hayabusa with Timeline Explorer to quickly orient the reader with the timeline of an investigation.
1 Mitre Att&ck Technique That You Cannot Ignore by CyberSec_Sai
A bit of a clickbait-y title, but you know what? It got me to click. This author did a good job summarizing the importance of T1059: Command and Scripting Interpreter within ATT&CK. They painstakingly documented several APT and Financial Crime groups, the specific technique they used within T1059, and gave details and links to back their claims up. To back it up further, they linked MITRE’s CAR project, group-by’d the techniques, and found that an overwhelming number of Sigma rules are focused around T1059.
Engineering Efficiency: A Guide to Decision-Making During The Recession by José Caldeira
Although this blog focuses on software engineering in general, this is an excellent read for those leading an engineering organization, which Detection Eng falls into. It is elementary for an engineer to say, “we would be so much better if we could hire X many people.” In the current economic environment, that might not be possible. So, how do you scale otherwise? Measurement and focusing on improving the core value-add for your teams.
Security Champions, Are We Doing It All Wrong? Part 1 by Michael Burch
Speaking of scaling, you can scale a detection and response org through a security champions program. These programs bring in folks from your software engineering team to learn and evangelize security best practices and give feedback on what works within your detection plan. A true “democratized” detection org uses the whole company to assist in detection and response.
MSSN CTRL CFP by Lima Charlie
The good folks at Lima Charlie are launching a new conference in the metro DC area, MSSN CTRL. Their CFP is open until mid-April, and it looks like it will be an amazing conference with a dedicated focus on topics that readers of this newsletter know and love: detection engineering, threat hunting and blue teaming. I’m happy to see more and more conferences come to the DC area!
Lock & Load: Arming Yourself with Threat Intelligence by Adam Goss
Threat intelligence blogs can be a great source of detection ideation, but how do you process them to create a detection scenario? First, start with a good catalog of reliable sources that produce these blogs. Then, break the blogs down by their intelligence types: strategic, operational, and tactical. Is the report relevant to your org and your industry? Does it contain IOCs or MITRE ATT&CK TTPs to test rules against? Goss does a great job of breaking down all these questions and eventually leading to a rule.
Breaking the Chain: Defending Against Certificate Services Abuse by the Splunk Threat Research Team
Some of the most sophisticated and damaging security events abused Certificate Services during their campaigns. Stealing certificates from a store on Windows, for example, can lead to all kinds of trickery. In this post, the Splunk Threat Research team looks at previous breaches, and the tools used by adversaries to abuse certificates and provides a trove of detection opportunities for you and your team to test while you write detections.
Efficient SIEM and Detection Engineering in 10 steps by Maciej Szymczyk
Another somewhat clickbait-y title, but again, this got me to click and I really enjoyed reading this guide! Funny enough, my favorite steps are Step 1 and Step 10. I won’t spoil everything, but according to Szymczyk, ML is a joke (it kind of is in many ways), but treat it like a “cherry-on-top”.
Detection Engineering on Social Media
Threat Landscape
Aurora: The Dark Dawn and its Menacing Effects by Saharsh Agrawal
Has anyone looked at the explosion of stealer variants within the last 3 years? In the old days, it was just banking-trojan-turning-into-crypto-key-stealer, with years of rich history owning victims until the crypto boom. Aurora is a Go-lang based stealer that is advertised on the usual underground forum suspects. The best part? Agrawal added detection opportunities!
Guidance for investigating attacks using CVE-2023-23397 by Microsoft Incident Response
If you haven’t read up on CVE-2023-23397, then use this blog to catch up. The infection vector is pretty crazy since it’s an Outlook EoP bug: a malicious email can be sent to an open Outlook process without you opening the email, you get owned.
Fork in the Ice: The New Era of IcedID by Pim Trouerbach, Kelsey Merriman and Joe Wise
Researchers at Proofpoint fingerprint forks of IcedID, another banking trojan turned initial loader/access malware. There are numerous reports of IcedID leading to ransomware infections, and the newer forks have a subset of functionality compared to the original IcedID variant. According to Proofpoint, these “lightweight” versions of IcedID are probably optimized by threat actors for ransomware delivery, instead of general purpose stealing and botnet functionality of the original version.
OpenAI: A Redis bug caused a recent ChatGPT data exposure incident by Pierluigi Paganini
ChatGPT suffered a software supply chain security attack! Psyche, but instead of attack, it was a vulnerability. And this vulnerability exposed all of the weird crap we’ve been sending to ChatGPT quietly, but this time to unsuspecting users. Basically, a library they use to interact with Redis was mismatching connections as they were pooled, resulting in users seeing all kinds of stuff from other users.
Attack Superhighway: A Deep Dive on Malicious DNS Traffic by Akamai Security Research
Whenever I interview at a new company, I walk (or Zoom) into each interview, gritting my teeth, trying not to blurt out that my favorite protocol of all time is DNS. It’s like crossfit, I can’t stop talking about it! Anyways, Akamai, as a CDN, has a crap ton of DNS data, and it turns out that when they look at it with a threat hunting lens, they find a lot of real bad stuff. My favorite finding is the prevalence of Mirai (still) and Flubot in home networks.
ChatGPT - the impact of Large Language Models on Law Enforcement by Europol
Great report by Europol showing the impact of LLMs like ChatGPT and how they can be used for abuse and cybercriminal activity. Much like the Internet and cell phones, I think we arrived at the age of LLMs without completely thinking of its malicious impact, but I think this is the natural progression of game-changing tech like ChatGPT. I can’t wait for the first CVE to be issued to ChatGPT, where someone performed a “jailbreak” and put a stupid website and logo up to brag about it.
Joomla! CVE-2023-23752 to Code Execution by Jacob Baines
Vulncheck has been putting out some great content lately! In this post, Baines reviews the recent Joomla vulnerability that leads to sensitive information disclosure, specifically around the database it’s connecting to and the usernames and password hashes within the installation.
Open Source
Malicious Software Packages Dataset by Datadog Security Research
Note, I am employed by Datadog and helped build this dataset
Shameless plug, but have you ever wanted to experiment with running malicious packages and see what detections you could build? Well, the team here at Datadog judiciously gleaned over 100s of malicious PyPi packages and published them in this repository for you to try. We will add more as we find them, including packages from other languages!
untitledgoosetool by CISA
Besides the amazing name, this tool focuses heavily on collecting events and logs from various sources in a Microsoft AD environment, whether on-prem or in Azure. I’m excited to see what kind of blogs and research come out of using it!
LambdaLooter by State Farm Insurance
Interesting python tool that authenticates to your AWS (or whatever AWS credentials you so happen to have ;)) and “loots” secrets.
Launching a New Open-Source Tool: Access Undenied on AWS by Noam Dahan
Listen, IAM in the Cloud is complicated. Every cloud service provider has vastly different models that generate vastly different audit and control plane logs. Dahan’s new tool, Access Undenied, turned this weakness into a strength by automating the processing of AccessDenied Cloudtrail logs and figuring out why it failed. This can be helpful for engineers who need to understand how to generate least-privilege access policies for their infrastructure.
awesome-soc by cyb3rxp
Yet another awesome- Github repo, this time dedicated to SOC resources!*
Very solid post, thank you for sharing! We're algo in the engineering field, you can check one of our articles here https://www.metridev.com/metrics/engineering-productivity-what-is-it/