Detection Engineering Weekly - Issue 4
Last week's news and how-tos in the art and science of Detection Engineering
š§¦āļøā Issue 4 Summary - Holiday Edition š§¦āļøā
Did you know the Northpole is a nation-state actor? Have you checked your logs for infiltration?
Alias: Buddy Nationality: North Polean
Designation: APT-HoHoHo
Just kidding. But make sure to watch Elf if you can. Itās one of my favorite movies during the Holiday season. Iāll be taking the rest of the year off, so expect Issue 5 to come out on January 4th, 2023!
This weekās recap:
Spotlight post by Josh Day on what it takes to be a Detection Engineer
Lots of State of the Art posts: Synthetic detections from Target, a bug report by a blue teamer, and a post showing how to report business metrics with security data
For threat landscape: Twitter employee and spy gets years in US prison, Minecraft hackers showing why they are better than all of us, and malware using the blockchain for C2
If you havenāt subscribed, please consider! Iāll do all the hard work of aggregating and writing, so you donāt have to :)
Also, please give me feedback! Thereās a form at the bottomšš of the newsletter. Three questions, two minutes; Iāve improved a lot of aspects of this newsletter from feedback. Thank you!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more āState of the Artā Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and Iāll see if I can add it here!
Happy Hunting
š Spotlight š
So, You Want to Be a Detection Engineer? by Josh Day
In this spotlight article, Josh Day writes, in great detail, what it takes to be a Detection Engineer. Although this post was made in 2020, it still rings true today. Weāve learned a lot from the past, and I appreciate how Day talks about how we build for a customer (analysts) and how there are certain āknobsā you can turn to optimize detections. This is exactly what I try to tell my org (and what they tell me :)) about hypothesis gathering, false positive ratios and specificity. Be sure to review āWhen Detections Break Youā as it addresses bias.
Source: https://blog.gigamon.com/2020/02/24/so-you-want-to-be-a-detection-engineer/
State of the Art
Synthetics: Continuous Assurance of Detection Components by Paul Hutelmyer
Did you know Target has one of the best security teams in the world? Well, after reading this post, you will see why. Great analysis of why using āsynthetic logsā can help bring confidence to a detection program. This is what the software engineering/devops persona calls āfixturesā in integration and regression testing.
Tracking Meaningful Security Product Metrics by Leif Dreizler
I would say this post is Detection Engineering-adjacent, but every security person should read this. It is extremely difficult to quantify the impact of the work that we do on a day to day. Security is typically a cost center, so what do you do to justify your work? The difference between health and business (or, in this blog, product) metrics is a chasm that many security managers and a few individual contributors cross. Remember that you have to report to colleagues who arenāt security people, so focus on the product or business as you begin reporting up and across.
How to Detect Malicious OAuth Device Code Phishing by InverseCos
Interesting post on detecting OAuth/Device Code Phishing attacks. As MFA adoption increases, criminals and threat actors must adjust their attack methods. In this post, InverseCos describes device code phishing and associated detection methodologies. No need for a username and password when you can generate a link and get the user to put in a TOTP-like string of numbers!
A guide to cyber threat hunting with Promtail, Grafana Loki, Sigma, and Grafana Cloud by Nick Moore
Grafana has come a long way from when I used them a few years ago. I typically wonāt link any vendor-based blogs since it requires purchase, but this isnāt that at all because it is all self-hosted! Moore goes through a lab setup here with Grafana OSS tools and Sigma.
A Blue Teamerās Bug Report by Amanda Berlin
I feel like insider threat detections are secrets held tight (for legitimate reasons). In this case, Berlin finds a bug in the control plane of Google Drive logging that doesnāt correctly attribute user identities when a document is shared outside the Google Org.
Zoom. Enhance!: Finding Value in Macro-level ATT&CK Reporting by Ryan Fetterman
Prioritization and gap analysis has a high start-up cost to any Detection Engineering backlog, but I promise it pays dividends later. I love this post for a few reasons. First, it combines a model like ATT&CK (to me, itās a taxonomy) with threat intelligence (CISA alerts) to prioritize a detection backlog. Not all prioritization methodologies are built equal - for example, this is biased towards public reporting as a means of priority. Still, you then work with your leadership to accept that risk.
Detecting off The Land - Hash Lookups from Native Tooling by Arch Cloud Labs
Red teams can no longer claim the phrase āliving off the landā! Or maybe this is the evolution of purple teaming? Arch Cloud Labs is a great red team and blue teamer, so I now designate them as team purple. Using binaries on a host system and free, open-source APIs, Arch Cloud Labs shows ways to quickly triage a system for infection without loading up a ton of tooling from all over the internet.
Threat Landscape
Former Twitter Employee Sentenced to 42 Months in Federal Prison for Acting as a Foreign Agent by Department of Justice
Wild press release and indictment of a former Twitter employee spying on behalf of the Kingdom of Saudi Arabia. I think we took social media for granted. Does anyone here remember the purity of Myspace, Geocities, or Expages? Now I have to incorporate nation-state social media spying into my personal and professional threat model *stares at Substack*.
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers by Microsoft Security Threat Intelligence (MSTIC)
Has anyone interviewed, hired, or worked with a former Minecraft hacker? If so, Iād love to interview them and post the interview on my Substack. āWhy would you want to do that?ā you may ask. I want to remind readers that Log4Shell was first discovered ATTACKING MINECRAFT SERVERS! We are not ready when Minecraft hackers decide to turn their sights on the public.
Anyways, MSTIC found a botnet (tracked by cluster DEV-1028) that infects internet-facing devices and is used to DDoS private Minecraft servers. The malware is sophisticated in targeting Minecraft server versions that inconsistently parse packets on custom protocols. Nice work, MSTIC!
CISA Adds Five Known Exploited Vulnerabilities to Catalog by CISA
Under āState of the Artā, I linked a blog to Splunk that describes how CISA alerts can be useful for a detection backlog. A day before Splunkās post, CISA added 5 exploited vulnerabilities to their catalog, and a day after, 1 more! <3 the CISA team and I think this advisory feed should be added to every security teamās workflow.
Six Charged in Mass Takedown of DDoS-for-Hire Sites by š¦Brian Krebsš¦
If you are a DDoS website, do not mess with the Anchorage FBI Field Office. In all seriousness, great work from the DoJ and researchers who helped submit info to get sites like this taken down. DDoS is still a major problem for many people, and itās typically those who canāt afford anti-DDoS services.
Glupteba Botnet Still Active Despite Google's Disruption Efforts by Eduard Kovacs
Whenever I think of Botnet takedowns, I think of a group of cops busting into a door, and an operator is sitting in their underwear and sporting a balaclava and a gold chain. The main C&C server is sitting in their closet, and the operator calls out, āDrats! You got me!ā we all take our glass of whiskey, sit by the fire, and sleep a little bit easier that night as the server is carted away.
Besides running Ponzi schemes, the blockchain is also useful for criminal C&C infrastructure. According to researchers interviewed by Kovacs, Glupteba is still operating because it uses the blockchain for campaigns. By tracking 80 bytes of opcode in a signature, the researchers could see Glupteba infrastructure still being used a year later.
Agenda Ransomware Uses Rust to Target More Vital Industries by Nathaniel Morales, Ivan Nicole Chavez, Nathaniel Gregory Ragasa, Don Ovid Ladores, Jeffrey Francis Bonaobra, Monte de Jesus
Agenda (Qilin) is the latest ransomware strain using Rust as its programming language. The interesting finding in this post is that Agenda/Qilin upgraded from GoLang to Rust in this latest variant. Ransomware operators like Agenda/Qilin are adjusting their malware configuration to account for bad OPSEC, so dirty researchers like myself canāt connect to their support chats to glean additional intel.
SentinelSneak: Malicious PyPI module poses as security software development kit by Karlo Zanki
We need more analysis and detection content for supply chain security attacks! Supply chain security is a fascinating subject, and we are fortunate to have folks work on these problems at an impeccable speed. IMHO, there is one fundamental gap in a lot of the supply chain research: the focus is primarily on vulnerabilities in the chain and not threats. We need both to āsolveā this area of security. For example, as in this blog post, what if your security engineer is writing an API integration with SentinelOne and they install a malicious package? Well, click here and find out what happens next :)
Open Source
Transpiler by Databricks Labs
What is it about AST parsing that makes it so aesthetically pleasing to me? This repo explores SPL ā Pyspark DSL conversion rather than converting to SPL, which many tools do. I imagine Splunk dominates the market share of SIEM query languages, so seeing new languages and tools to support the workflows in that language gives me hope.
Leaked a secret? Check your GitHub alertsā¦for free by Mariam Sulakian & Zain Malik
Secrets scanning for all public repos is now GA in Github. This is open-source related because, well, most of our projects are probably hosted on Github. Iām glad that Microsoft didnāt turn Github evil (yet), and they are still doing great things to secure the community.
Harden EKS by Doruk Ozturk
Hardeneks is a python cli tool that helps configure EKS clusters according to AWSā EKS Best Practices. The tool and the mkdocs
site are tightly coupled, so you can jump between the two as you experiment with hardening your EKS deployments. Nice work AWS!
Conclusion
Thanks for reading this weekās newsletter! Iād love to get your feedback on your experience reading it.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, Iād be extremely grateful!
Thanks for reading Detection Engineering! Subscribe for free to receive new posts and support my work.