Detection Engineering Weekly #27 - If a security gateway gets thrown in a trashcan..
Does it make any noise?
Welcome to Issue #27 of Detection Engineering Weekly!
This week’s recap:
💎 by Phil Venables on Artisanal vs Industrial security programs. You can definitely abstract this to just a detection program!
Processing pipelines in Sigma by Thomas Patzke, Splunk pulls apart Papercut exploits (and provides an environment to try it!), and rule metadata justifications by Emerging Threats researcher Ozurie
Fortinet is burning, Barracuda is burning in a trashcan, modern PoS malware is scary and Minecraft suffers supply chain attacks like the rest of modern software
Dear 🟪 , 🟥, 🟦 teamers and everyone in between
Did you know I made a hotline last week for you to air your grievances anonymously? Imagine one of those morning talkshows with people calling in ranting about whatever and whoever. I’d love to hear your rants on security, threat detection, purple teaming and everything else. Give me a call and leave a voicemail! +1 954-280-0080
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Delivering Security at Scale: From Artisanal to Industrial by Phil Venables
This week’s gem really strikes at the heart of what I think many security leaders think about, even if their scope is only detection engineering and response: scale. For those that have read The Phoenix Project (I highly recommend it), the company has a scaling issue regarding almost anything they do. Project management, a “hero” developer, metrics generation, and general alignment problems. Venables equates this to an artisanal vs. industrial approach.
Although the post focuses on security programs, take some time to read through this and scope it down to your threat detection and engineering elements. Gems like this are great because you can increase or decrease the model's scope, and things don’t generally change.
State of the Art
Connecting Sigma Rule Sets to your Environment with Processing Pipelines by Thomas Patzke
Garbage in, garbage out. Have you heard that adage? Well, you will definitely get some garbage inside your security products if you don’t have an excellent way to extract, transform and load security data beforehand. This is also true for detection rules!
This post is a deep introduction to processing pipelines, and these pipelines can take many forms! Patzke discusses how Sigma uses processing pipelines to transform Sigma rules (a generic detection format) into various query formats, like Splunk.
Don’t Get a PaperCut: Analyzing CVE-2023-27350 by Splunk Threat Research Team
Threat emulation is one of my favorite things to work on when writing detection rules. Serious, widespread vulnerabilities like CVE-2023-27350 can make this a challenge, especially if it’s a piece of software that takes time to build or does not publicly have a lot of content on how to build it. Luckily, the Splunk Threat Research Team did it for us! If you ever have a chance, get super familiar with replicating vulnerable environments to test exploit payloads like this one. You’ll learn much more about security than tossing a PoC you found on Github around :).
Thoughts on Practical Threat Modeling by Page Glave
Love this post by Glave - threat modeling SHOULD be part of the Detection Engineering backlog! It’s a practical approach to designing secure, production-facing systems, so why not have the results of the threat model map into detections to ensure coverage? This post is the first time I’ve seen this concept from a detection engineering angle, and it makes me wonder what else we can use from an AppSec playbook to help fuel detections.
Rule Metadata & Exploit Signature Difficulties by Ozurie
If you read the above post by Splunk on the PaperCut vulnerability, you probably thought it was easy to detect exploitation. You are right! But what happens when the exploit becomes more dynamic? The more conditions, regexes, or query logic to your detections, the easier it can be bypassed by switching ordering or breaking the regex. Ozurie describes how the Emerging Threats teams assign confidence metadata to their exploit detections as a way to describe the reliability of these detections. Not all IDSes can be 100% perfect. No security tool can! So, make it “easier” for the consumers of your detections by providing context around the alert.
How to Create F.L.I.R.T Signature Using Yara Rules for Static Analysis of ELF Malware by 増渕 維摩 (Yuma Masubuchi)
Those pesky malware authors are always messing up analysis! Stripping symbols, obfuscating, packing.. What can we do? Well, F.L.I.R.T. to the rescue! In this post, Masubuchi shows how you can use Yara hunting techniques to find similar binaries to a piece of malware you are analyzing, create function signatures, and then reapply those signatures back to the original binary to increase analysis speed.
Circumventing inotify Watchdogs by Arch Cloud Labs
A friend of the newsletter, Arch Cloud Labs, uncovers how the inotify watchdog subsystem implements the read() syscall and how you can circumvent it’s the implementation of file integrity monitoring. Similarly to Jared Atkinson’s gem post from last week, reading and understanding API documentation on operating systems (or anywhere), you can start to build out the underlying components that eventually lead to the atomic operation itself. If detections (in this case, inotify), have a limitation on what they can or cannot see, then you have a functional bypass to that detection.
What Do You Want? by Katie Knowles
Another friend of the newsletter, Katie Knowles, gives some sage advice on “opportunity gains” when considering what you want out of your career. We as a community are fortunate to be in an industry where you can do many different things, and it can be overwhelming to determine your true calling within security. Katie discusses how a generic mission statement such as “I want to do good work on a great team” isn’t helpful for your career goals. Why not be more specific? Or why does it have to be static? Your mission statement can change, and it ABSOLUTELY should!
Nice work Katie!
Detection Engineering on Social Media
Link: https://twitter.com/MaxRogers5/status/1668278617502015495
Link: https://twitter.com/gymR4T/status/1667632727728836609
Link: https://twitter.com/EricaZelic/status/1668036028920131585
Threat Landscape
Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now by Lawrence Abrams
Fortinet RCEs: the gift that keeps on giving! Not much detail on live exploitation as of the writing of this post, but this was found by two researchers, which offers some hope that we can get ahead of the patch before the miscreants of the internet craft an exploit (or clone it from Github) and spraying it out to the world.
Barracuda Urges Replacing — Not Patching — Its Email Security Gateways by 🦀 Brian Krebs 🦀
Imagine walking into work and getting a phone call from your Barracuda rep about this vulnerability. You brief your boss on the situation, and they ask, “So what do we do?” You respond, “Boss, we gotta trash these devices. Like literally throw them in the trash.” I can’t imagine running a security compliance company where you are owned for THAT long (Krebs says October 2022), and you can’t reliably push out code to patch it.
A Truly Graceful Wipe Out by The DFIR Report
This post is a WILD intrusion documented by The DFIR Report. The actors gained initial access via TrueBot, then loaded several other second and third-stage malware like Cobalt Strike, Impacket, and FlawedGrace. The actors eventually exfiltrated data, and instead of ransoming the victims, they loaded MBR Wipers and completely decimated the machines. No note found. Spooky.
IT threat evolution Q1 2023 by David Emm
Great Q1 threat landscape roundup of interesting landscape changes found or documented by Kaspersky. The story that caught my eye is about a threat actor Kaspersky calls Prilex. PoS malware has been around for several years, but according to the company, it has evolved into a highly sophisticated operation. For example, a PoS system infected with Prilex may have it’s contactless feature disabled or blocked, causing a failover and the victim having to swipe their card, surrendering track data to the malware.
Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware by Bitdefender
Supply chain attacks have infected Minecraft mods, according to Bitdefender. But this isn’t just a simple stealer you’ve seen on PyPi or npm; the Fractureiser stealer being dropped on these malicious mods is part of a multi-stage campaign. I guess we just shouldn’t download anything anymore ¯\_(ツ)_/¯.
Open Source
Decret by Orange Open Source
Threat emulation using known exploited vulnerabilities is a great way to test your detections against things that have happened in the wild. Orange created this repo to automatically reproduce a vulnerable Debian environment, given a CVE.
Ransomware Map by cert-orangecyberdefense
r/theydidthemath is one of my favorite subreddits. You just get some ridiculously cool calculations on strange/esoteric questions. When folks do this for other disciplines, especially cybersecurity, I have to call them out and thank them. This is the most comprehensive Ransomware tracking and evolution map I’ve seen.
certrss by PulseDive
If you run a Feedly you should definitely add all of the aggregated RSS feeds here!
Process Governor by lowleveldesign
Interesting approach to allow listing or limiting processes on Windows from performing certain actions. I’m unsure if Windows has a cgroups-esque implementation for limiting process functions, but it might be interesting to see if any processes hit any limits and you can write detections on them.