Detection Engineering Weekly #33 - It's DPRK week, let's party.
The /r/Pyongyang subreddit awaits your subscription
Welcome to Issue #33 of Detection Engineering Weekly!
This week’s recap:
💎 3-peat by Gary Katz on detection drift
Invictus automates and tracks detection coverage using Stratus Red Team
Rezonate gives us the skinny on the best bang for your buck with Okta logs
DPRK and China are headlining everything this last week, with GitHub, JumpCloud and Mandiant dropping blogs burning some DPRK TTPs and infra
Microsoft doing the right thing and giving us mere mortals some more audit logs for Azure
Also, I’m going to Blackhat & DEFCON! If you want to meet up, shoot me an e-mail or a Twitter DM. The folks @ Prelude Security offered to buy me some Detection Engineering Weekly stickers to give out, so I’ll have a thicc pack of stickers of my dog (the featured doggo on this newsletter) that I hope to give away by the end of the weekend.
My hope is to do a DEFCON edition of my newsletter. I’ll be hanging out at the Cloud Village, AppSec village, with some w00w00 folks and a few Datadog people. If you see me come say hi!
Dear 🟪 , 🟥, 🟦 teamers and everyone in between
Want to roast a vendor, or many vendors? How about infosec Twitter? Give me a call and tell me all about it on a voicemail. I promise I’ll laugh and cry with you.
📱📱📱+1 954-280-0080
📱📱📱
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Tracking Detection Drift by Gary Katz
This is a 3-peat for Gary, and his first gem!
False positive reduction (increasing precision) is usually the talk of the town when we talk about detection engineering. Time wasted is money going down the drain. But what about false negative reduction (increasing recall)? Well, adversaries care way more about evading your detections than how many alerts you try to tune away. I _love_ the examples Katz gives here, and they explain some basic statistics that you can run to get a much better metric around false negatives.
If you loved Katz's posts as much as I did, you would be thrilled to learn that he, Megan Roddie, and Jason Deyalsingh wrote arguably the first book on Detection Engineering. They sent me an early copy, and I've been nerding out on it for a few days now. Please go support our community and check out their book. I'd love to see more content applying the concepts in their book to real life.
State of the Art
Automated First-Response in AWS using Sigma and Athena by Invictus Incident Response
Invictus publishes their methodology behind alert validation (which linked a few stories about last week) with Sigma, Stratus Red Team, and GuardDuty. Spoiler: GuardDuty and out-of-the-box Sigma rules underperformed against Stratus: 3 and 11 scenarios triggered alerts, respectively, out of 32 potential alerts. Here is interesting quote here about coverage from the Invictus team:
It was already expected that Sigma would not score 100%, since 100% coverage does not exists. Why not more detections? Partially because some of the simulated attacks look very legit from a CloudTrail log entry perspective. It is the task of the incident responder to add context to an event and assess whether this is malicious.
Scaling our security detection pipeline with Sigma by Bradley Kemp
The Monzo team uses this blog post to document their journey about building a detection-as-code CI/CD pipeline for their business. The post is from August last year; I'm surprised this is the first time I've seen it! The team chose to use Golang for their alerting language, and I love the reasons they chose to use Go and their alerting architecture:
They followed standard design patterns at Monzo
Everyone in the team was familiar with Golang
They can tap into the ecosystem of Go libraries from platform teams to help them accelerate their detection program
Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting by Ori Amiga and Ron Marom
IdP logs should be a critical source of telemetry in your detection program. Okta is one of the first IdPs (in my experience) to embrace providing audit logs on IdP activity in a consumable format. I'm happy to see out-of-the-box detection scenarios from their platform. The folks at Rezonate took this a step further. They provided ways for detection engineers to focus on the most interesting fields within these logs and how you can use them to detect attacks against your organization.
Investigating SMS phishing text messages from scratch by BushidoToken
Learn by doing - that is what BushidoToken recommends for analysts who want to get expertise in investigating any incident or real-world attack. In this post, you walk through an SMS-based phishing attack with BushidoToken, and he gives his methodology for analyzing criminal infrastructure with free tools. He features one of my FAVORITE free tools for cyber threat intelligence and infrastructure mapping: URLscan.
DNS Tunneling Detection — RITA by whoami
This is an easy-to-follow lab post on using investigative tools Zeek and RITA to detect DNS tunneling on a “real” network capture. The author loads a dataset from ActiveCountermeasure’s Malware of the Day into Zeek, which then processes and formats the logs so you can run queries with RITA.
Detection Engineering on Social Media
Link: https://twitter.com/Shadowserver/status/1683750793277579264
Link: https://twitter.com/Kostastsale/status/1682230781018771457
Threat Landscape
Security alert: social engineering campaign targets technology industry employees by Alexis Wales
It's North Korea Week here at Detection Engineering Weekly! In this post, GitHub drops a blog detailing a sophisticated, DPRK-led campaign against IT industry employees with a clever and involved attack chain. The actors target employees and socially-engineer them to a private GitHub repo and then coerce them to clone and run the contents to get access to their machines and corporate network. This is related to the Phylum blog released a month ago, and GitHub acknowledges that Phylum uncovered the attack on npm, but did not have the Microsoft resources to link to DPRK.
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack by Austin Larsen, Joseph Pisano, Mark Golembiewski, Matt Williams and Paige Godvin
Okay, a Silvia Pepe moment is coming, so bear with me. JumpCloud posted a breach disclosure on their blog due to a sophisticated campaign against their systems by DPRK. As a result of JumpCloud's breach, DPRK pivoted from JumpCloud into one of their customer's environments, who subsequently retained Mandiant as the incident response firm. This blog is about a JumpCloud customer's foray into Nation-State activity. Highly recommend reading through this to understand a) victimology and b) supply-chain security when you are a company that runs an agent on behalf of your customers.
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm by William Gamazo and Nathaniel Quist
Gamazo and Quist uncover a clever Redis-based P2P botnet that uses CVE-2022-0543 to perform a Lua sandbox escape on vulnerable Redis hosts. It's also written in Rust (because threat actors can be hipsters, just like us) and doesn't care if it's running on Windows or Linux hosts.
Compromised Microsoft Key: More Impactful Than We Thought by Shir Tamari
It's DPRK week here at Detection Engineering Weekly. Didn't I say that already? Well, let's sprinkle some Storm-0558/Chinese espionage on top of this week's news! Tamari uncovers that the stolen MSA key from Microsoft's breach may have more impact from a blast radius perspective than initially disclosed. MSRC apparently agreed, but someone else at Microsoft disagreed, so now we have some DRAMA. It can be annoying when big corporate Microsoft does stuff like this and risks ruining relationships with the research community. We'll see what happens!
How Microsoft is expanding cloud logging to give customers deeper security visibility by Vasu Jakkal
Apparently, if you were a victim of Storm-0558, only when you pay the big bux could you see any telemetry from infections. Luckily, Microsoft is now enabling cloud audit logging capabilities to a much more significant portion of its customer base so that even "the little guys" can try to protect themselves.
Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments by Coveware
This is a super interesting article by Coveware - they throw a bit of Micro and Macroeconomics at the ransomware problem space to build cost curves and measure economies of scale of a modern ransomware operation. It turns out that maybe ransomware gangs also think about economies of scale and long-run average cost-curves, where they, much like Angel investors, infect 100s of victims for the hope of 10 or so victims covering the cost of the whole operation and ponying up millions of dollars.
CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability by Ivanti
DID I SAY IT’S DPRK WEEK ALREADY? WE AREN’T READY FOR A CVSS 10.0 UNAUTHENTICATED ACCOUNT TAKEOVER VULNERABILITY THAT WILL MOST CERTAINLY CAUSE MASS EXPLOITATION WITHIN HOURS. GIVE US A SECOND TO TAKE A BREATHER.
Open Source
windows-api-function-cheatsheets by snowcra5h
As a Windows-curious "capability developer", I love cheatsheets like this. Windows documentation can either be good or confusing. Whether you are building detections or the 30th open-source stealer, this is an excellent library of Windows API functions.
Cybercrime-Police-Raids by BushidoUK
If you ever wanna see how the super ub3r hax0r crims (mostly in Russia?) live, this might be a great playlist to put on while your enjoying a few drinks on a Friday night.
detection-and-response-pipeline by 0x4D31
Excellent amalgamation of detection and response tools, reference material and tutorials on building your own detection and response operation.
timesketch by Google
Interesting collaborative DFIR timeline tool by Google. I like how you can add different artifacts and it auto-aggregates them in a case and builds the timeline while deconflicting work streams between whoever is working on the incident.
github-actions-goat by step-security
*Goat project that focuses on attacking a GitHub actions pipeline. Since we’ve talked a lot about supply chain security breaches this week, I thought it would be good to add this one to the list of repos to check out.