Detection Engineering Weekly #40 - My identity as a security researcher is in shambles
Notice me, DPRK! :( :(
Welcome to Issue #40 of Detection Engineering Weekly!
This week’s recap:
💎 by James Dorgan on how Coinbase scaled their detection & response efforts and designing for the analyst
Arch Cloud Labs helps us with CTF challenges, MSTIC launches V2 of their Cloud Storage Blob threat matrix, Burak Karaduman fits Splunk inside a Docker container, and Anton Chuvakin on the pains behind detection engineering
TAG discloses a DPRK campaign against security researchers, and I was not targeted, US DoT sanctions more Trickbot cronies, BLASTPASS uncovered by Citizen Lab, and FBI announces Stake breach as a DPRK op
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Scaling Detection and Response Operations at Coinbase Pt.1 by James Dorgan
This week’s gem showcases how Coinbase transitioned many “industrial” detection and response solutions to a singular “artisanal” solution that fits Coinbase’s use cases. A previous gem by Phil Venables defines industrial vs. artisanal, so go check that out and come back and read Dorgan’s blog. When you reach a scale like a large cryptocurrency company with a bespoke tech stack, your security tools need to evolve with the tech stack.
Coinbase does this by unifying its detection and response toolset into a singular platform, where analysts and responders can leverage the body of knowledge of their detection engineers to display enrichments, history, and response actions in a consistent view. These “economies of scale” of detection and response risked imposing costs on Coinbase, so heavily investing in these standardized views helped keep the cost down so the business could grow. Think of it like the “long-run average cost curve” in Economics:
State of the Art
Pwntools & Pwndbg BoF 101 by Arch Cloud Labs
A friend of this newsletter, Arch Cloud Labs, gives a quick tutorial on using pwntools and pwndbg for some entry-level exploit development CTF challenges. Having the skills to perform some basic exploit development makes a more well-rounded blue teamer, because it makes you interact with very low-level concepts in the target system. So, if you want to see how to develop an exploit against a buffer overflow challenge and execute a “win” function, check this out!
Cloud storage security: What’s new in the threat matrix by Microsoft Threat Intelligence
Did you know MSTIC runs its own threat matrices? The group updated their Cloud storage threat matrix to account for some additional access methods actors use in operations. Most tactics on MITRE ATT&CK got an update here with new techniques. I thought the “static website” tactic was the most interesting update. Specifically, you can turn a storage blob container into a static website and access the objects via a separate URL to exfiltrate data.
Splunk Docker | Analyze EVTX on the Fly by Burak Karaduman
I never imagined someone asked or answered the question: Can you run Splunk on Docker? The answer? Yup! Docker is a mainstay tool for most modern development teams, and using Docker as a way to create and deploy the application seems like magic to me. Karaduman launches Splunk in Docker in this post and runs an evtx2splunk converter to view logs in a community Splunk deployment.
Lolbins for connoisseurs… Part 2 by hexacorn
Hexacorn continues his Part 1 foray into strange locations of LOLBINS all over the Windows system. Many utilities and binaries get installed out of the box on fresh Windows boxes and exist in strange places. Hopefully, the LOLBAS project has these locations and binaries listed :).
Understanding Red to Be Better at Blue: Navigating New CrackMapExec Updates by Kostas Tsialemis
Did you know there is an Offensive Security Tool (OST) debate on infosec X/Twitter? It's a debate that has held some of our lifetime's greatest, most legendary takes and conversations! Terrible joke - it's been dramatic and full of feelings with lots of finger-pointing. My take on whether to publish OSTs, follows Tsialemis' recommendations here.
Red teamers publish these tools, so why not learn from them? In this post, Tsialemis reviews the latest updates to CrackMapExec, studies their behavior, and gives detection opportunities at the end.
Detection Engineering is Painful — and It Shouldn’t Be (Part 1) by Anton Chuvakin
A friend of the newsletter, Anton Chuvakin, published Part 1 of a series on "the DNA of Detection Engineering." He perfectly captured the evolution of SOCs, where the industry is moving towards scaling detection content via software engineering principles. The painful parts, as Chuvakin puts them, include:
The utter sprawl of data and systems and the rapid pace of onboarding new systems
Burnout from the constant need to curate and deploy new content
The sheer amount of expertise needed to handle detection opportunities in all of these disparate systems
Chuvakin also points out that some of these detection engineers are beginning to wear many hats of sister teams that they previously relied on. My org can struggle with expertise sprawl with the complexities of a multi-cloud and SaaS environment, so it's nice to see Anton calling that out.
Detection Engineering on Social Media
I was invited to SANS "Wait Just an Infosec" Podcast to discuss Detection Engineering. I feel proud about this one, so go check it out!
Link: https://twitter.com/x0rz/status/1701635846808506405
Link: https://twitter.com/JBizzle703/status/1699852451241718158
Threat Landscape
Active North Korean campaign targeting security researchers by Clement Lecigne and Maddie Stone
Google TAG discloses a campaign targeting security researchers specializing in vulnerability and exploit development. I'm not cool enough, so I never got one of these connection requests, but I do ask weird bots who message me on LinkedIn to "just send me the malware." Still waiting to get a file. In North Korean fashion, the attackers develop a conversation and rapport with their victim and send a malicious file to compromise the researcher.
United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang by US Department of the Treasury
Department of the Treasury names and shames additional members of the notorious Trickbot collective. Do yourself a favor and read the names and descriptions of how these members operated in the group. Trickbot employed everything from HR, development experience, testing and finance.
BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild by Citizen Lab
Citizen Lab finds two vulnerabilities used by customers of the Pegasus spyware family against members of a civil society group in D.C. It looks like Apple issued two CVEs and released a patch quickly. According to Apple via Citizen Lab, Apple’s Lockdown Mode would have prevented this 0-day from being effective on enabled devices.
Evolution of Cybercriminal Operations in 2023 by Will Thomas
Interesting rundown by Will Thomas of a new type of initial access broker shop found on the cybercriminal underground. Basically, initial access brokers would post on your usual suspect criminal forums to advertise access to corporate networks. Thomas found a broker who did this AND advertised a shop hosted on the dark web. This was one of my favorite parts of Thomas’ post, which talks about how this broker proved they had access to a victim environment:
To prove the access is legit, Br0k3r also offers to provide proof of Domain Admin privileges, enterprise access level, size of the network, and which antivirus or endpoint detection and response (EDR) system is in use.
CISA Adds Two Known Vulnerabilities to Catalog by CISA
CISA responds promptly to the BLASTPASS vulnerabilities by listing the vulnerabilities from the Citizen Lab disclosure.
CVE-2023-41064 Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow
CVE-2023-41061 Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability
I want to see one threat report where someone with an Apple Watch gets pwned. Just one!
FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com by FBI National Press Office
Stake recently disclosed a breach that resulted in tens of millions of crypto being stolen by advanced threat actors. Two weeks later, the FBI posted a notice here that attributed the attack to DPRK. According to the FBI, there’s been about $200 million USD stolen from DPRK this year alone.
Open Source
aws-guardduty-runbook-generator by aquia-inc
Glue code that takes GuardDuty findings inside your AWS environment and then populates a runbook template pulled from docs.aws.amazon.com.
Eyes by N0rz3
Semi-creepy OSINT tool to find accounts on several platforms given an email address. The creepy part uses facial recognition on profile photos inside these accounts to reconcile whether it’s the same person.
cspm_evaluation_matrix by Nextdoor
Nextdoor published their evaluation matrix for CSPM products after their fwd:cloudsec talk. I like the transparency behind publishing these evaluations, especially coming from a dirty CSPM vendor, because it democratizes the knowledge and makes it easier for everyone to look for things that matter.
fibratus by rabbitstack
Observability-based tool that monitors Windows kernel syscalls in an easy to use detection language. I like the idea of moving towards an eBPF style detection model for Windows. Instead of catching or hooking everything, you specify what you want to hook in the domain specific language, and it removes the Kernel-level wizardry requirement and gives you what you need.
CVEAggregate by r3volved
Interesting Node tool that displays aggregate data of CVEs cross-correlated with CISA and EPSS scoring. It’s a lot of acronyms, I know, but CVEs by themselves are nothing more than an identifier. IMHO EPSS is the future (not as much as CVSS), but that’s my hot take for the newsletter.
Enjoyed the podcast yesterday!