Detection Engineering Weekly - Issue 4
Last week's news and how-tos in the art and science of Detection Engineering
🧦❄️⛄ Issue 4 Summary - Holiday Edition 🧦❄️⛄
Did you know the Northpole is a nation-state actor? Have you checked your logs for infiltration?
Alias: Buddy Nationality: North Polean
Just kidding. But make sure to watch Elf if you can. It’s one of my favorite movies during the Holiday season. I’ll be taking the rest of the year off, so expect Issue 5 to come out on January 4th, 2023!
This week’s recap:
Spotlight post by Josh Day on what it takes to be a Detection Engineer
Lots of State of the Art posts: Synthetic detections from Target, a bug report by a blue teamer, and a post showing how to report business metrics with security data
For threat landscape: Twitter employee and spy gets years in US prison, Minecraft hackers showing why they are better than all of us, and malware using the blockchain for C2
If you haven’t subscribed, please consider! I’ll do all the hard work of aggregating and writing, so you don’t have to :)
Also, please give me feedback! There’s a form at the bottom👇👇 of the newsletter. Three questions, two minutes; I’ve improved a lot of aspects of this newsletter from feedback. Thank you!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at firstname.lastname@example.org with your link, and I’ll see if I can add it here!
🌟 Spotlight 🌟
So, You Want to Be a Detection Engineer? by Josh Day
In this spotlight article, Josh Day writes, in great detail, what it takes to be a Detection Engineer. Although this post was made in 2020, it still rings true today. We’ve learned a lot from the past, and I appreciate how Day talks about how we build for a customer (analysts) and how there are certain “knobs” you can turn to optimize detections. This is exactly what I try to tell my org (and what they tell me :)) about hypothesis gathering, false positive ratios and specificity. Be sure to review “When Detections Break You” as it addresses bias.
State of the Art
Synthetics: Continuous Assurance of Detection Components by Paul Hutelmyer
Did you know Target has one of the best security teams in the world? Well, after reading this post, you will see why. Great analysis of why using “synthetic logs” can help bring confidence to a detection program. This is what the software engineering/devops persona calls “fixtures” in integration and regression testing.
Tracking Meaningful Security Product Metrics by Leif Dreizler
I would say this post is Detection Engineering-adjacent, but every security person should read this. It is extremely difficult to quantify the impact of the work that we do on a day to day. Security is typically a cost center, so what do you do to justify your work? The difference between health and business (or, in this blog, product) metrics is a chasm that many security managers and a few individual contributors cross. Remember that you have to report to colleagues who aren’t security people, so focus on the product or business as you begin reporting up and across.
How to Detect Malicious OAuth Device Code Phishing by InverseCos
Interesting post on detecting OAuth/Device Code Phishing attacks. As MFA adoption increases, criminals and threat actors must adjust their attack methods. In this post, InverseCos describes device code phishing and associated detection methodologies. No need for a username and password when you can generate a link and get the user to put in a TOTP-like string of numbers!
Grafana has come a long way from when I used them a few years ago. I typically won’t link any vendor-based blogs since it requires purchase, but this isn’t that at all because it is all self-hosted! Moore goes through a lab setup here with Grafana OSS tools and Sigma.
A Blue Teamer’s Bug Report by Amanda Berlin
I feel like insider threat detections are secrets held tight (for legitimate reasons). In this case, Berlin finds a bug in the control plane of Google Drive logging that doesn’t correctly attribute user identities when a document is shared outside the Google Org.
Zoom. Enhance!: Finding Value in Macro-level ATT&CK Reporting by Ryan Fetterman
Prioritization and gap analysis has a high start-up cost to any Detection Engineering backlog, but I promise it pays dividends later. I love this post for a few reasons. First, it combines a model like ATT&CK (to me, it’s a taxonomy) with threat intelligence (CISA alerts) to prioritize a detection backlog. Not all prioritization methodologies are built equal - for example, this is biased towards public reporting as a means of priority. Still, you then work with your leadership to accept that risk.
Detecting off The Land - Hash Lookups from Native Tooling by Arch Cloud Labs
Red teams can no longer claim the phrase “living off the land”! Or maybe this is the evolution of purple teaming? Arch Cloud Labs is a great red team and blue teamer, so I now designate them as team purple. Using binaries on a host system and free, open-source APIs, Arch Cloud Labs shows ways to quickly triage a system for infection without loading up a ton of tooling from all over the internet.
Former Twitter Employee Sentenced to 42 Months in Federal Prison for Acting as a Foreign Agent by Department of Justice
Wild press release and indictment of a former Twitter employee spying on behalf of the Kingdom of Saudi Arabia. I think we took social media for granted. Does anyone here remember the purity of Myspace, Geocities, or Expages? Now I have to incorporate nation-state social media spying into my personal and professional threat model *stares at Substack*.
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers by Microsoft Security Threat Intelligence (MSTIC)
Has anyone interviewed, hired, or worked with a former Minecraft hacker? If so, I’d love to interview them and post the interview on my Substack. “Why would you want to do that?” you may ask. I want to remind readers that Log4Shell was first discovered ATTACKING MINECRAFT SERVERS! We are not ready when Minecraft hackers decide to turn their sights on the public.
Anyways, MSTIC found a botnet (tracked by cluster DEV-1028) that infects internet-facing devices and is used to DDoS private Minecraft servers. The malware is sophisticated in targeting Minecraft server versions that inconsistently parse packets on custom protocols. Nice work, MSTIC!
Under “State of the Art”, I linked a blog to Splunk that describes how CISA alerts can be useful for a detection backlog. A day before Splunk’s post, CISA added 5 exploited vulnerabilities to their catalog, and a day after, 1 more! <3 the CISA team and I think this advisory feed should be added to every security team’s workflow.
Six Charged in Mass Takedown of DDoS-for-Hire Sites by 🦀Brian Krebs🦀
If you are a DDoS website, do not mess with the Anchorage FBI Field Office. In all seriousness, great work from the DoJ and researchers who helped submit info to get sites like this taken down. DDoS is still a major problem for many people, and it’s typically those who can’t afford anti-DDoS services.
Glupteba Botnet Still Active Despite Google's Disruption Efforts by Eduard Kovacs
Whenever I think of Botnet takedowns, I think of a group of cops busting into a door, and an operator is sitting in their underwear and sporting a balaclava and a gold chain. The main C&C server is sitting in their closet, and the operator calls out, “Drats! You got me!” we all take our glass of whiskey, sit by the fire, and sleep a little bit easier that night as the server is carted away.
Besides running Ponzi schemes, the blockchain is also useful for criminal C&C infrastructure. According to researchers interviewed by Kovacs, Glupteba is still operating because it uses the blockchain for campaigns. By tracking 80 bytes of opcode in a signature, the researchers could see Glupteba infrastructure still being used a year later.
Agenda Ransomware Uses Rust to Target More Vital Industries by Nathaniel Morales, Ivan Nicole Chavez, Nathaniel Gregory Ragasa, Don Ovid Ladores, Jeffrey Francis Bonaobra, Monte de Jesus
Agenda (Qilin) is the latest ransomware strain using Rust as its programming language. The interesting finding in this post is that Agenda/Qilin upgraded from GoLang to Rust in this latest variant. Ransomware operators like Agenda/Qilin are adjusting their malware configuration to account for bad OPSEC, so dirty researchers like myself can’t connect to their support chats to glean additional intel.
We need more analysis and detection content for supply chain security attacks! Supply chain security is a fascinating subject, and we are fortunate to have folks work on these problems at an impeccable speed. IMHO, there is one fundamental gap in a lot of the supply chain research: the focus is primarily on vulnerabilities in the chain and not threats. We need both to “solve” this area of security. For example, as in this blog post, what if your security engineer is writing an API integration with SentinelOne and they install a malicious package? Well, click here and find out what happens next :)
Transpiler by Databricks Labs
What is it about AST parsing that makes it so aesthetically pleasing to me? This repo explores SPL → Pyspark DSL conversion rather than converting to SPL, which many tools do. I imagine Splunk dominates the market share of SIEM query languages, so seeing new languages and tools to support the workflows in that language gives me hope.
Leaked a secret? Check your GitHub alerts…for free by Mariam Sulakian & Zain Malik
Secrets scanning for all public repos is now GA in Github. This is open-source related because, well, most of our projects are probably hosted on Github. I’m glad that Microsoft didn’t turn Github evil (yet), and they are still doing great things to secure the community.
Harden EKS by Doruk Ozturk
Hardeneks is a python cli tool that helps configure EKS clusters according to AWS’ EKS Best Practices. The tool and the
mkdocs site are tightly coupled, so you can jump between the two as you experiment with hardening your EKS deployments. Nice work AWS!
Thanks for reading this week’s newsletter! I’d love to get your feedback on your experience reading it.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!
Thanks for reading Detection Engineering! Subscribe for free to receive new posts and support my work.