Discover more from Detection Engineering
Detection Engineering Weekly #8 - Alert Fidelity, Attribution & Our First Feature!
Last week's news and how-tos in the art and science of Detection Engineering
Alright, listen. Before you continue reading, I have something to admit. I wasn't completely transparent with all of you. In the last few weeks, I sent out a form for readers to fill out to tell me how they'd explain Detection Engineering to their CEO. Five sentences or less, an elevator pitch, if you will.
They are just too good, and my evil plan worked: I'm totally using your responses in a presentation to my leadership about Detection Engineering.
I know, I know. Not a good way to start this relationship. But it was so interesting seeing the types of responses from all kinds of practitioners. Business owners, researchers, engineers, and Twitter memers, it was fantastic. So, I just wanted to thank all of you. I am working through the analysis now and will use that to put on a blog, and of course, I will give attribution to those who permitted me to.
There's still time. You can still help me by submitting your take on Detection Engineering. You don't want to leave me hanging, do you?!
Explain Detection Engineering to your CEO: Feature #1 - Bryson Bort
Social links: @brysonbort
Your business is YOUR business: it is a unique, ever-changing environment to match customer and operational needs. And, your security is YOUR security which needs to assure and support these changes. Deming taught the value of quality in the business world through the PDCA cycle. Detection engineering is the same through test-driven processes to assure the business where the security team can detect and respond to what defines security, the threat.
For those that don't know, PDCA is an iterative management method and is something that leadership, in a business context, may understand more than our Detection Engineering SDLCsi. I love the juxtaposition here because communicating to a business leader that "It is like X but for Y" is a secret cheat code to get your managers on the same page quickly. Thank you, Bryson!
This week’s recap:
SpecterOps’ Jared Atkinson’s gem on detection fidelity
Our first Youtube video link shepherding viewers through a cryptomining attack
Attribution - should you do it?
Sliver is not being used for threat emulation and educational purposes
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
Also, please give me feedback! There’s a form at the bottom👇👇 of the newsletter. Three questions, two minutes; I’ve improved a lot of aspects of this newsletter from feedback. Thank you!
💎 Detection Engineering Gem 💎
Introducing the Funnel of Fidelity by Jared Atkinson
The Funnel of Fidelity is a fantastic model for visualizing and describing how a detection engineering effort should be designed. We can naively think that you can only create highly accurate alerts when, in fact, you should think of alerting as a series of stages from less precise to more precise and have different personas dealing with inputs and outputs along the alert chain. My favorite quote by Atkinson here, under the Detection section:
The concept of detection tends to be very nuanced in many organizations. For this reason we must distinguish between micro detection (the process of writing logic to alert on a potentially malicious event) and macro detection (the process of taking a true positive event from alert all the way to remediation).
State of the Art
The Defender’s Guide to Windows Services by Jonathan Johnson
I am not well-versed in Windows security, so this was a great introduction to a core component of Windows defense and offense: services. Services are essential processes but are purpose-built to be long-lasting and interact directly with core Windows functionality. The Attack Vectors are a great way to orient how these can be abused quickly.
Ever heard the adage: "attackers think in graphs, defenders think in lists"? I am super interested in how we, as defenders, can start thinking about how we can move toward that graph or visualization mentality. I have seen some powerful views in SIEMs that can have helped me analyze security events at a much faster pace than scrolling through log lines.
The Anatomy of Google Cloud (GCP) Cryptomining Attack by Day Cyberwox
My first Youtube video listing inside the newsletter! I am constantly curating content, and I have neglected video so if you have a threat detection video or training you love, send it to me. I know Day personally, and it is awesome seeing how much high-quality content he puts out to teach others how to get into security, and specific threat detection. This video does a quick 10 minute walkthrough of a cryptomining attack and gives detection opportunities along the way.
Attribution in Cyber Threat Intelligence: Techniques and Challenges by Bank Security
I know attribution to threat actors can be a hot topic amongst security circles, but I still think there is a use for trying to do it amongst threat detection programs. You may not get a subpoena from the DoJ or discovery via legal means, but there are other techniques listed that could be used, given your legal department okays it.
Navigating the Trade-Offs of Cyber Attribution by Jamie Collier and Shanyn Ronis
This blog serves as an excellent juxtaposition to the previous Bank Security blog on attribution. While Bank Security offered ways to collect evidence to perform attribution, Collier and Ronis built stages of attribution, starting with tactical, atomic indicators, to strategic, where you can uncover a nation-state or individual. This might be useful to help timebox analysis, so you don't go down rabbit holes trying to doxx your attackers.
Data exfiltration with native AWS S3 features by Ben Leembruggen
Have you lived off the land, what about living off the.. cloud? After I read this blog, I realized that everything that is a feature in AWS could also be used as an attack tool. When AWS decides what they will and will not log, it can have serious ramifications here too. For example, Ben writes:
Cross account replication is relatively straightforward to set up, requiring a role assumable by s3 with replication and list/get based permissions, and a configured bucket policy on the attacker controlled account. Unfortunately a newly configured replication policy is not reported on by IAM Access Analyzer, presumably because Access Analyzer focuses on objects being shared — as distinct from new copies of the objects being distributed.
Darth Vidar: The Dark Side of Evolving Threat Infrastructure by S2 Research Team
Excellent analysis of Vidar infrastructure, including their C2 setup and shops where they sell the kit. S2 found some openly shared files on the Vidar shop, including an install script, which gave insight into how actors set up their Vidar deployment.
*CVE-2022-3236 is a code injection vulnerability affecting Sophos Firewalls. It allows an attacker to send an arbitrary Perl script that the firewall executes. Baines did not find a PoC for this vulnerability, so they wrote one (thanks for not releasing it). There are quite a number of potentially vulnerable devices on the internet, but the saving grace could be a CAPTCHA, preventing exploitation. CAPTCHAs have never been beaten before, either!
That Threat Archive Vol 1: Vice Society by That Threat Guy
That Threat Archive sounds like a great holiday present for your loved ones in information security. Great breakdown of Vice Society history and TTPs and I am looking forward to a more wiki-style analysis of these different groups.
Emotet Returns With New Methods of Evasion by Blackberry Research & Intelligence Team
Ivan from Emotet resurrected their botnet after Ryuk got arrested in July of last year. If you have not studied the history and evolution of Emotet, this post and other posts on the family are fascinating. The dark days were the collaboration with Trickbot, and dark days are ahead of us as the malware now uses an SMB spreader module for lateral movement.
Thinking of Hiring or Running a Booter Service? Think Again by 🦀Brian Krebs 🦀
Krebs outs an alleged DDoS website operator, including resume, Github, and LinkedIn, and the crazy thing about these types of Krebs stories is he publishes interview notes with the owner. I don't want to spoil it for everyone, but I thought this was a gem of a quote:
“I will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,” Dobbs wrote, as if taking dictation from a lawyer who doesn’t understand how the media works.
Sliver C2 Leveraged by Many Threat Actors by Cybereason
The well-known, for-educational-use-or-threat-emulation-only tool Sliver is being adopted more and more by real threat actors who are not using it for education or threat emulation. Unless threat emulation is kind of like the Matrix, where you emulate every part of the attack up to getting paid, and then one day, you take a pill and wake up to realize that the actors were just the good guys. Anyways - this is a super detailed writeup on Sliver, and I appreciate how Cybereason takes the purple team approach and has a whole "chapter" on blue team tactics to defeat Sliver.
ShareFinder: How Threat Actors Discover File Shares by The DFIR Report
DFIR Report performs a deep dive on how to detect abuse of powershell’s Share-Finder functionality. Apparently, 40% of intrusions they’ve investigated include the use of Share-Finder. Windows world is wild to me - a ton of functionality inside standard tools, and this same functionality is used to compromise the environment.
Ransomware access brokers use Google ads to breach your network by Lawrence Abrams
What is old is new. I feel like seeing all this news about poisoned SEO and malvertising is reminscent of exploit kits and drive-by downloads abusing ads years ago. This is a good article that summarizes the re-emergence of SEO malvertising, this time initial access brokers and stealer malware (which, let’s be real, are access brokers) are using the technique to gain a foothold inside networks.
This is not technically open source, but it is free! Sploitus reads GitHub repos for potential PoCs of vulnerabilities and clones them so you can search later. This can be useful for both collection of exploits being published on a hot new vulnerability (think Log4Shell) and if someone accidentally publishes a PoC before a disclosure.
Prelude build by Prelude
We need more open-source threat emulation tools! Build is interesting because it has an IDE that you use to write end-to-end threat detection tests. It integrates with Prelude's Detect so you can maintain detections and validate their accuracy before pushing them out to production.
News Intel from CLI by Jon
Not a Github repo, but I thought this was a useful post for those who want to get access to news and filter it via CLI.
Pulsar by Exein-IO
Yet another eBPF agent-based tool for Linux security. It's good to see more of these tools emerge to see how folks implement eBPF rule languages (this one is in yaml). I was hoping to see more rules than what is in default, but promising nonetheless!
onedump by Dider Stevens
Stevens added a file to their Beta Github repo and an associated blogpost on analyzing malicious OneNote files.
Thanks for reading this week’s newsletter! I’d love to get your feedback on your experience reading it. If you have any, please shoot me an email techy at detectionengineering.net