Detection Engineering Weekly #42 - 🎉 5000 Subscribers! 🎉
And I couldn't have done it without you
Welcome to Issue #42 of Detection Engineering Weekly!
Programming update, and a quick life update:
Hi everyone!
I’m excited to announce we reached 5000 subscribers to Detection Engineering Weekly! I am blown away by the level of support and feedback provided by so many of you. Thank you for all your messages, emails and of course blog posts that I can read and share with my readers.
For the next two weeks, I’ll be scheduling some pre-written posts that go out in place of Detection Engineering Weekly, so no new issues. Why? Well, my wife and I are welcoming our second kid and I want to make sure I can be there for him and my family!
So, Oct. 18 is when you’ll see regularly scheduled content. Thanks again for all the support and I can’t wait to show y’all what I have planned
Zack
Survey Announcement:
My friend Grace is launching her second Survey on CTI Networking, which she turned into a fantastic report and conference presentation at the SANS CTI Summit. If you’re a CTI professional, could you take some time to help her complete this survey? It’s all anonymous, and she’ll use the results for good so we can all understand a bit more how professionals in our field collaborate.
This week’s recap:
A 💎 on entity modeling for alert prioritization by Tammy Truong and Kyle Derevyanik
TrustedSec’s Adam Chester spills the beans on attacking Okta, but the beans taste great because there’s detection opportunities everywhere in his post
James Dorgan & the Coinbase team continue their blog series on scaling D&R @ Coinbase
Material Security’s Joe Portner on reimagining access management for thousands of GCP customer tenants
Ermetic researchers document Azure’s clever instance metadata service, Adobe’s Renae Kang interviews one of their SOC Interns, applying TLP decorators to Azure rules and alerts, and John Althouse releases JA4!
More SCATTERED SPIDER by Ian Ahl & the Permiso team, DFIR Report drop on ScreenConnect and a somewhat botched ransomware deployment, Citizen Lab finds more Predator victims, Turla, new RaaS players..
plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Prioritizing Entities for Better Security Alerts by Tammy Truong and Kyle Derevyanik
This post by Truong and Derevyanik details how the Snowflake team implemented their own prioritization framework via Assets and Identities. The idea of a "severity-based" framework seems great on paper, but when you have a hammer, everything needs to look like a nail. If I had to instruct a team to start their prioritization framework, I think severity-based prioritization makes sense, but it doesn't scale. So how do you scale it?
Entities to the rescue! Humans are great classifiers, so why not classify what you want to protect as a classification system? Enter Snowflake's Entity Management Framework. The team organized entities into two flavors: identity and assets.
This is the most clever risk prioritization system I've encountered in the open-source world. Make sure to check out how they compute risk scores based on environment (sandbox vs. prod) and how they've determined thresholds for severity based on the distribution of their risk scores across all of their detections.
State of the Art
Okta for Red Teamers by Adam Chester
Okta has been in the news a LOT lately. And by lately, I mean the last several years. Lots of breaches started with an Okta compromise, and, IMHO, the more exciting thing isn't how Okta got breached, but rather, what the attackers did with Okta post-initial access. Check out the previous posts on SCATTERED SPIDER in previous newsletters, but threat actors compromising IdPs and moving laterally via IdP federation is the new hotness.
In this post, Chester reveals several tactics red teamers use when targeting Okta. Things get weirder if you combine Okta with Active Directory via Kerberos. Many detection opportunities start from pivoting to Okta via Kerberos and into Silver Ticket attacks. My favorite part at the bottom shows how you can set up a "Fake SAML Provider" to sidestep authenticating to the victim system.
Scaling Detection and Response Operations at Coinbase pt2 and
Scaling Detection and Response Operations at Coinbase pt3 by James Dorgan
This is a continuation from last week's issue and 💎 by James Dorgan and the Coinbase team, focusing on enriching alerts with User and Machine context (Part 2) and democratizing triage through a Slackbot and employee inputs (Part 3). This fits really nicely with Snowflake's gem post above, and it shows how a massive organization like Coinbase can scale its detection program to meet specific business needs and environments.
If you read the gem above, Part 2 is an excellent follow-on post. If you read Palantir's Democratizing Detection, a Gem from Issue #11, you can see how teams can spread the love of triage by using your colleagues as an additional enrichment point!
Q&A with Joseph Keller, Bowie State University Intern at Adobe by Renae Kang
I love reading intern spotlights! There's something about having someone with a fresh perspective on the team who can keep you honest in how you onboard, perform daily tasks, train, and provide feedback. In this post, Renae Kang of Adobe Security interviews Joseph Keller about his experience as a SOC analyst at Adobe. I used to live near Keller's college, Bowie State, so this hit home for me in many ways.
Reimagining Access Management: Part 1 by Joe Portner
Have you ever managed compute resources (EC2 instances, GCP VMs, etc) for your company? It's an endeavor to figure out how to build, deploy, manage, and secure these resources at any scale. Now, imagine doing that for thousands of compute resources on behalf of customers. Fascinating but terrifying problem, right?
Well, Material does just that, and this blog post by Portner describes how they approached access management for these thousands of customer tenants. It makes it even harder to think about customer support and accessing customer tenants for your engineers and support staff to do their job. The coolest part, IMHO, is how Material leverages GitHub to maintain a "database" of access requests via several out-of-the-box features.
The Azure Metadata Protection You Didn't Know Was There by Lior Zatlavi and Liv Matan
Azure, like GCP and AWS, contains Metadata endpoints that help services retrieve cloud session tokens to help interact with their cloud environment. Most of these services and resources access the metadata endpoints via an HTTP GET on the localhost. Azure is a special snowflake in this aspect: according to Zatlavi and Matan, Azure App Services, Function apps, and Logic apps use a special runtime environment variable to access the metadata service. This helps prevent SSRF attacks due to needing access to the underlying operating system, which, if someone has that, you will get the credentials anyway.
Microsoft Azure Sentinel: Adding TLPs (Traffic Light Protocol) to Incidents, Alerts and Analytics Rules by Truvis Thornton
This is a neat post that helps readers implement a TLP labeling system to incidents and rules obtained via threat intelligence sharing. Thornton used Azure Logic Apps to decorate the rules and incidents with a corresponding TLP tag if you choose to label it as such.
JA4+ Network Fingerprinting by John Althouse
Andddd it's live! JA4 just got dropped, an extension to JA3 TLS fingerprinting but with way more functionality. Modern Internet security technology, specifically TLS, has reduced the attack surface for an organization's assets, but that same security reduced the attack surface for threat actor infrastructure. You may not have access to underlying data, but by using JA4 fingerprinting mechanisms, you can "abuse" the metadata offered by these different technologies to fingerprint and cluster threat actor infrastructure.
Detection Engineering on Social Media
Link: https://twitter.com/x0rz/status/1705219099830243795
Link: https://twitter.com/DrunkBinary/status/1704652067933913407
Link: https://twitter.com/0xdea/status/1705942107125391601
Threat Landscape
LUCR-3: Scattered Spider Getting SaaS-Y In The Cloud by Ian Ahl
A friend of the newsletter, Ian Ahl, deep dives into SCATTERED SPIDER and provides fantastic details on how they operate. I love visually intuitive threat intelligence reports, so Ahl & the Permiso team provide an easy-to-reference and visual report on TTPs and highlights. I'm a sucker for good art, so the "detective" in the banner image with a shoe trying to squash the spider is *chef's kiss*.
From ScreenConnect to Hive Ransomware in 61 hours by The DFIR Report
A new week, a new DFIR Report. In this case, in October last year, the team observed an intrusion where the actor relied heavily on an RMM tool for access and tried to deploy Hive ransomware. After extracting sensitive files over SFTP, the actor attempted to initiate a domain-wide infection of Hive via GPO but did not use the correct settings, so a domain-wide ransomware infection failed, but according to DFIR Report, they still encrypted key servers.
npm packages caught exfiltrating Kubernetes config, SSH keys by Ax Sharma
Sonatype research found several npm packages that contain malware that extracts secrets from victim hosts. The peculiar thing about this one is this is the first time, in my memory, I've seen malware extract Kubernetes configs.
Predator in the Wires by Bill Marczak, John Scott-Railton, Daniel Roethlisberger, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert
Citizen Lab continues its fight against mercenary spyware, and this post details a breach against an Egyptian MP, Ahmed Eltantawy, who was owned via THREE iPhone zerodays. The research collective attributes this attack to the Egyptian government, after extensive research unearthing that Egypt buys the Predator spyware from Cytrox, and the exploit was delivered in the physical location of Eltantawy.
If you are unfamiliar with Predator and Cytrox, you should check out the latest Darknet Diaries episode, aptly named "Predator."
Examining the Activities of the Turla APT Group by Srivathsa Sharma
Turla, a Russian-based APT group active since at least 2004, set its sights on Ukraine as recently as July. But, did you see the date I wrote? 2004! I remember writing threat intel briefs about Turla when I started working professionally over 10 years ago. What better way to understand a group than reading it's history? That's exactly what Sharma did here, and it's a worthy read if you want to understand more about how nation-state activity evolves alongside the country it aligns with.
Dusting for fingerprints: ShadowSyndicate, a new RaaS player? by Eline Switzer, Joshua Penny and Michael Koczwara
In this post on Group-IB, researchers from several outfits uncover an alleged ransomware affiliate, ShadowSyndicate. ShadowSyndicate is a busy bee: they leverage several C2 frameworks, deploying them across dozens of servers on the Internet, and, according to Group-IB, has been attributed to several ransomware infections across multiple ransomware groups. I like the analysis of fingerprinting unique Cobalt Strike configurations to cluster operations by ShadowSyndicate, which include Cobalt Strike's watermarks, IPs, domains, and sleeptime.
Open Source
awesome-honeypots by paralax
I'm surprised I haven't linked this yet, but paralax (my former manager at Fastly!) runs an impressive, exhaustive list of open-source honeypots. But it's not just honeypots. It's virtually everything you need to build, run, and analyze data captured from honeypots.
bindiff by Google
Bindiff is now open source! It looks like Google now hosts it under their GitHub account, but the original researcher ran it out of their website here.
Cloud Katana by Azure
Azure-focused threat emulation tool using Azure function apps. Focuses on generating “campaign” objects to simulate an attack so you can test detections afterwards. Here’s an example campaign where Cloud Katana emulates a threat actor discovering Azure assets.
NetExec by Pennyw0rth
CrackMapExec got forked and turned into NetExec. Apparently, the original CrackMapExec was “sponsorware”, which basically means someone was paid to maintain it. That person retired, and a few of the core devs forked the project and it’s now community-driven!
kernel-hardening-checker by a13xp0p0v
Automated Linux Kernel hardening tool. It looks across boot-time, compile-time and runtime configurations and provides recommendations on locking down whatever Kernel you are on. They have a handy visual “Linux Defence Map” so you can see the links between the recommendations and the CWE types they protect against.