This week’s recap:

• CircleCI releases detailed post-mortem on their incident, and I am still crabby about it (nice work CircleCI team!)

• Last week I said it’s hard to find new Detection Engineering content, well this week I am eating my words. Lots of amazing stuff to read about detection paradigms, log formats, and I give a secret about detection opportunities during a Sliver C2 analysis

• More software supply chain attacks and me postulating with no evidence whatsoever that this may have lead to CircleCI

Explain Detection Engineering to your CEO

I am processing the responses for my explaining Detection Engineering exercise. Will start posting these starting next week. Want to be featured? Fill out the form below!

Form: Explain Detection Engineering to your CEO

Have content to share? Could you email me?

I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and I’ll see if I can add it here!

Happy Hunting

💎 Detection Engineering Gem 💎

The Pyramid of Pain by David Bianco

If you've seen any of my presentations or blogs, I probably reference the Pyramid of Pain in at least 50% of them! This post is a gem for SO many reasons. First, it was a true marker for when threat detection experts began talking about the uselessness of IOC-based alerting. Second, it is a valuable model to use whether you are an entry-level analyst or a principal explaining detections to your CEO. We want to inflict the most pain and to do so, we can move up the Pyramid and make our detections more scalable against threats we care about.

State of the Art

Creating Audit Logs for Security Professionals by Julie Agnes Sparks

Great post by Sparks here talking about the different types of logs in security, audit, and system logs. You might also see audit logs be called "control-plane" and system logs be called "data-plane" if you are in the cloud world. I love that they took an approach of deriving requirements for a Software Engineer rather than starting with a Security Engineer. I think we need a maintained list of references to control plane/audit logs, and I see Sparks listing a few very important links to SaaS audit logs at the end of the post.

The Relationships Between Detection Engineering Paradigms by Gary Katz

Now that you've read Pyramid of Pain in my weekly gem, this post will be a great follow-up to see how the art of detection has evolved since then. MITRE ATT&CK, a fantastic post (and most likely an upcoming gem) by Jared Atkinson, and the Pyramid, are three different paradigms we can approach detection at scale. Katz brilliantly lays out all 3, identifies each gap, and shows how all three can play off each other in a sound approach.

Why behaviors matter in Threat Hunting by Cyborg Security

Short-but-sweet blog by Cyborg Security on looking for behaviors of attack when threat hunting. Not only can it help you increase the efficacy of your detections, but it also can help reduce the cognitive load of a massive data pipeline and sorting through tons of logs to find the needle in the haystack.

Aspects of Good Detection by Simone Kraus

What makes a good detection? I think this can vary between organizations and teams, but some steadfast attributes will stay the same for any organization. Context and prioritization make sure that we can view an alert, orient, and decide if is it something that needs to be resolved now. My favorite section: "Excellent Detection is iterative"

Custom methodology for DEM and ADS with ACD elements use by Ondrej Nekovar and m3c4n1sm0

Detection engineering methodology (DEM), as written by these authors, "provides a simple guide on how to approach the development of an effective detection system." I think this name is different depending on where you go. At $DAYJOB, we call it the "Detection Engineering Lifecycle". I have seen others call it the Detection SDLC. I enjoy reading articles like this to compare and contrast how my org has implemented our methodology against others.

Detection of Lateral Movement with the Sliver C2 Framework by Oleg Boyarchuk

I am a simple newsletter author. If you write a section on "Detection Opportunities," I will save your article and post it later :). Jokes aside, this article goes into great detail on how Sliver is used for lateral movement and how you can detect its movements via copying the Sliver implant over SMB, creating a Windows service, and starting it. Boyarchuk also includes a pcap file with the network traffic at the end.

Threat Landscape

CircleCI incident report for January 4, 2023 security incident by Rob Zuber

I don’t know about yall, but this CircleCI incident has been both enlightening and painful. I commend Zuber for publishing a detailed post-mortem on the security incident affecting CircleCI, but the problem I had with it is that it left me with more questions than answers. A malware on a dev laptop was used to access internal resources. The only hash I see under "Malicious files to search and remove" is a .dmg and .app and a few logs. This hash is not on VTI. This reeks of infostealers, but those are typically Windows-based. I'm interested to see if others found more than I did, but the wild part of this incident is that the actor scraped memory for an encryption key to decrypt the pilfered data that was encrypted at rest.

2022 CVE Data Review by Jerry Gamblin

Have I told the readers that I love data? Probably. Will I tell you again now, and in the future? Yup. This 2022 year in review for CVE data is a good lagging indicator of not just the severity of CVEs, but also top CNAs and CWEs.

Crypto-inspired Magecart skimmer surfaces via digital crime haven by Malwarebytes Threat Intelligence

Interesting writeup on a Magecart skimmer that caught Malwarebytes' attention after it used a C2 domain that was crypto-themed, not asset or resource-themed like most Magecart C2s. The team went down the rabbit hole and uncovered the actor's full operation on all kinds of underground forums.

Malicious JARs and Polyglot files: “Who do you think you JAR?” by Simon Kenin

*TIL what a Polyglot file is. Basically, you can confuse security vendors by using a Polyglot file that is a valid JAR file according to Java, but not the exact JAR file format that vendors try to validate.

Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”
by Jin Lee

Good timing on a blog post like this after the CircleCI incident. Actors are moving towards attacking devs directly through the "software supply chain", and at first, it looked like commodity malware and not-so-technical actors that are owning devs and stealing their crypto. After CircleCI, I am unsure that big game hunters will see this as an opportunity to start ransoming or doing mass data-exfils of customers.

Wild Twitter Thread of Backdoored Networking Equipment by wulfsige79

Not really an article, but still a WILD Twitter thread on someone who bought network hardware and found a hardware backdoor inside. This is an issue with "grey market" devices, where the supply chain is not as secure as a direct vendor relationship, but I am sure this happens in verified sellers and resellers.

Abusing a GitHub Codespaces Feature For Malware Delivery by Nitesh Surana, Magno Logan

I'm sure companies like Github, Discord, Microsoft and Slack appreciate takedown requests of malware hosted on their CDNs. I don't know if they'd appreciate the runbook on distributing malware from their platforms. But these are important posts because they can show how trusted domains can circumvent traditional controls and detections.

Open Source

whodunit by Bontchev

*Neat project that ingests a file with techniques compares it to a list of known APTs and their techniques and spits out a best guess based on the overlap.

Red Team Maturity Model by BCHarrell Github

I freakin love maturity models. Maybe it's because they have been one way to describe a north star to your org and a management team. This is an excellent example of compare and contrast with some models that exist for Detection Engineering. I did not find any specific maturity level here that describes purple teaming and threat detection, but Level 5 of "Relationship with CTI" has a threat emulation component.

Hayabusa by Yamato Security

Hayabusa is a log collection, forensic and threat-hunting tool primarily for Windows. Their rules repo is continuously updated and can give some great insights into how an open-source framework approaches threat detection.

C2-Hunter by ZeroMemoryEx

*Interesting approach to dynamic malware analysis. C2-Hunter patches win32 connection APIs and hooks outgoing connections to log and later get C2 traffic without blowing it up in a VM.