Detection Engineering Weekly #6 - 🌟 to 💎, IR in the cloud and CircleCI shenanigans
Last week's news and how-tos in the art and science of Detection Engineering
Issue 6 Summary
Every week, I review my feedback forms for the blog. I ask three questions: rate this blog from 1 to 10, how can I increase it by 1 point, and how can I make it a 10?
Well, today, I am trying to increase it by 1 point for folks who gave me feedback on spotlight stories over the last few weeks.
Adieu, Spotlight! Enchante, Gem!
A spotlight blog, to me, is a blog that you should almost always read as a security practitioner. It's a snapshot of something I find really useful for security engineers, and it helps bring the state of the art of our profession forward.
"But techy, this is a WEEKLY newsletter, why isn't it published in the last week?" you say. It turns out that there isn't a lot of great content for Detection Engineering concepts published weekly, let alone gems. So I have to look back at some gems I've saved over the years and bring my readers to them.
I think this is a branding problem, so I am now removing Spotlight stories, and I am introducing 💎Detection Engineering Gems 💎. I hope that this helps readers understand that a gem doesn't have to be recent but it should be timeless.
Explain Detection Engineering to your CEO
I got a great response rate from readers last week, so I will continue asking this question this week: can you take 5 mins and answer this form on how you'd explain Detection Engineering to your CEO? I will do a separate post in a few weeks to go over the results, and I will begin featuring responses in a week or two.
👇👇
Form: Explain Detection Engineering to your CEO
👆👆
This week’s recap:
Gem from Anton Chuvakin on using lessons from SRE in SecOps
Multiple AWS IR posts after CircleCI breach
DFIR Report drop on Ursnif
Lots of Yara resources, from linting to lessons learned from a “100 days of Yara” experience
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
Also, please give me feedback! There’s a form at the bottom👇👇 of the newsletter. Three questions, two minutes; I’ve improved a lot of aspects of this newsletter from feedback. Thank you!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and I’ll see if I can add it here!
Happy Hunting
💎 Detection Engineering Gem 💎
More SRE Lessons for SOC: Simplicity Helps Security by Anton Chuvakin
My first official gem is a blog on using lessons from Site Reliability Engineering (SRE) and applying them to security operations. I've written about this subject in previous blogs, but Chuvakin goes deep into the application of SRE to security. I am a big fan of learning from the mistakes of others, and I am seeing a shift in scaling security operations teams where they are becoming SRE / DevOps curious and aligned.
State of the Art
Part-time Threat Hunting: Considering its Efficacy
by Christian Taillon
We should have more posts that are in response to other posts. I think sometimes the security community focuses too much on new content rather than responses to content and their conversations afterward. In this blog, Taillon responds to a post made by Crowdstrike that part-time threat hunting is not worth your time and refutes their premise that you can only get value out of threat hunting if it’s a 24/7 program. Surprise, surprise, Crowdstrike sells that as a service! I agree with Taillon that if you do not have a full-time threat hunting analyst or vendor, consider Intelligence-driven threat hunts as an exercise for your detection team: it'll result in your teams understanding your systems and gaps better and keep them engaged.
Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2
by Andre Rall
Straight to a point blog on how AWS access keys are abused by attackers. This is especially relevant to the CircleCI news from last week. Make sure to check Cloudtrail logs for long-term and short-term credentials being used to attack your environments.
Incident report: stolen AWS access keys
by Myles Satterfield, Tyler Wood, Teauna Thompson, Tyler Collins, Ian Cooper, and Nathan Sorrel
Another timely post about stolen/abused AWS access keys, very close to the CircleCI breach. Do I see a pattern? Follow this incident report by the great folks at Expel to see how to detect, respond, recover and hunt for AWS access key abuse. The nice thing about this post is that it is from a real-world incident rather than something hypothetical.
Responding to an attack in AWS by Invictus Incident Response
Alright - last post about AWS incidents and juxtaposing the writeups with CircleCI. Yet another great example of how to perform investigations and forensics on an AWS environment post-compromise. This post and the previous two should give you more than enough ammunition to build up detections for AWS compromises :).
eBPF: A new frontier for malware by Dave Bogle
It may not be the year of the Linux desktop, but the last two years (and this year) are the years for eBPF for Linux hosts! If you have not read into the architecture, intricacies, and elegance of eBPF, check out this post by Dave Bogle. It's a great eBPF 101 and shows how malware authors have abused eBPF to maintain access to victim machines.
Dhash Icon - Identify similar icons used in malware by Thomas Roccia
Dhash strings are a fantastic threat-hunting capability for organizations. VTI and other threat-hunting products use dhash to allow researchers and hunters to pivot and find more samples that are similar enough to a known bad or interesting sample. They are not perfect and can be false-positive prone, especially if you have packers or encoded samples, but it is a great technique to have in your toolbox.
Detection Engineering Automation: ChatGPT by Ashish Bansal
As Bansal writes in the post, I have also been inundated with ChatGPT content in my LinkedIn feed. I think what they differentiate here, though, is using ChatGPT for creating rules AND dummy logs to test those rules against. I've futzed with ChatGPT for some Yara rules in VTI livehunt but they were not that good. The threat and traffic logs that Bansal generated look great for testing, though. I think we are still far off from this tool being useful, but it may be a good starting point for many of us.
Publicly available sources for industry-specific threat landscape reports
by Nicole Hoffman
Threat landscape reports should be an input for many detection teams’ ideation backlog. Not all are created equal, and some can be snake oil for a product. I really like how Hoffman qualifies a good threat report here by providing a potential outline for those looking to write one. They also give a ton of Google web alert queries and sources for threat reports.
Threat Landscape
CircleCI security alert: Rotate any secrets stored in CircleCI by Rob Zuber
I'm sure many readers of this newsletter had an incident involving CircleCI last week. The crazy thing about attacking a cloud-based CI/CD tool like this is that it gets you so much access to all kinds of craziness on the software supply chain. Off the top of my head, I've stored the following in other CI/CD systems: AWS keys, SSH keys, VPN configurations, and private keys, Github tokens, and Heroku keys. I wish there were a better way to link ways folks can detect compromise via control plane logs/affected service logs other than asking victims to "check internal logs" Well, at least to get things started, I had to dig in CircleCI's website to see their control plane/audit log page, linked below.
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources by William Gamazo and Nathaniel Quist
As a community, we discuss moving to a DevSecOps model to scale and stream security operations. But how could we forget about threat actors and cybercriminals? They want to scale too! Unit 42 breaks down a threat actor group that uses DevOps / SRE automation techniques to automate the deployment of temporary cloud credentials to mine crypto. The lengths these actors go to bypass KYC and use potentially stolen credit card information to mine crypto is extraordinary.
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
by The Phylum Research Team
Looks like malware devs, especially stealer-related devs, are venturing more and more into using open-source packages as a delivery mechanism for their crimeware. Not only does this malware steal tokens, session keys, and passwords from your usual suspects, but it has a lightweight RAT that malware authors and distributors can use to get screenshots and victim information. Mark my words - it is only a matter of time before a malicious package leads to a stealer and THEN to initial access for a ransomware gang.
Can you trust your VSCode Extensions? by Ilay Goldman
It is now weekly that I post a threat landscape news update where someone found a malicious package on PyPi or npm. The Aqua Security team took the concept of supply chain attacks one step further and experimented with malicious VSCode extensions. It turns out, they work really well. If you have any ideas on detecting these before they are installed, please shoot me an email because Stackoverflow says 74.48% of surveyed devs use VSCode!
Unwrapping Ursnifs Gifts by The DFIR Report
(me, whenever The DFIR Report publishes a blog post) "Babe, wake up, the new DFIR Report just dropped!" Just kidding (slightly), but yet another-banger of a post from the great folks at DFIR Report. Ursnif is a banking trojan turned dropper turned initial access toolset for ransomware operations. Ursnif, just like many other droppers, is following a new approach of infecting end users with malicious ISOs as the initial access vector. Name one vendor that drops as many IOCs and detection rules as DFIR Report - fantastic stuff!
Initial access techniques in Kubernetes environments used by Kinsing malware
by Sunders Bruskin
Kinsing rears its ugly head in this Microsoft post detailing initial access methods of the malware to Kubernetes workloads. I find it interesting that Kinsing, historically associated with exploiting exposed Docker ports, now exploits vulnerable containers before moving laterally and establishing a foothold inside a Kubernetes cluster.
Open Source
YARA Essentials for Every Day Use
by g-les (Greg Lesnewich)
Lesnewich shares notes on essential tools he used during his 100 days of Yara challenge. I particularly like the notes about developing a list of goodware files to test for false positives without the need for a cloud service.
yaraQA by Florian Roth
Interesting QA-based tool that performs a performance lint on Yara rules. The repo uses plyara to turn target yara rules into a JSON dictionary for parsing. It could be an easier way to lint than an AST, so I wonder if folks will begin integrating this into their CI pipelines for rule checking.
My Jupyter Collection by Thomas Roccia
I'd love a post on the best practices of building Jupyter notebooks for threat hunting, intelligence, and detection. I'd imagine some of the best practices would look similar to Roccia's notebooks. My favorite notebook posted here is the string similarity notebook - it visualizes the relationship between strings via Jaccard distances.
Release of Azure Security Survival Kit
by Karim El-Melhaoui
Azure Security Survival kit is an Azure detection kit using Azure Bicep, a DSL, to deploy Azure resources. Love that El-Melhaoui included configuration steps, deployment steps, AND cost metrics for running this starter kit for Azure security threat hunting and detection!
Advanced KQL for Threat Hunting: Window Functions — Part 1 by Mehmet Ergene
TIL that Azure's KQL language allows you to use functions from Excel and other Microsoft macro languages. A great introduction to Azure KQL here, with a couple of detection opportunities and rules shared by Ergene. Ergene's post links to their Github and contains a fantastic corpus of KQL queries for hunting and detection.
Conclusion
Thanks for reading this week’s newsletter! I’d love to get your feedback on your experience reading it.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!
Thanks for reading Detection Engineering! Subscribe for free to receive new posts and support my work.