Detection Engineering Weekly #5 - Detection Ideation, AWS IR & I need your help!
Last week's news and how-tos in the art and science of Detection Engineering
Issue 5 Summary & what the *#&@ is Detection Engineering?
Happy New Year! I am very excited to give you the first Issue of the year of Detection Engineering Weekly. This newsletter has exploded, and I couldn’t be happier. We are approaching 700 subscribers and are well on our way to 1000. Once I hit 1000, I’ll do a special post on my experience creating a security newsletter. Thank you all for reading and providing regular feedback.
I also want to engage more with the community and the readers here. So, for this newsletter and the next few newsletters, I want to try something risky: Can you tell me what Detection Engineering means to you, and how would you describe it to your CEO? Fill out the form below, and I’ll do some word-cloudy things and shoutouts!
👇👇
Form: Explain Detection Engineering to your CEO
👆👆
This week’s recap:
Florian Roth on Detection Ideas
AWS incident workshops and a great blog on by Mark R. (sneakymonkey.net) on going through one of them, also, Zero alerts in a SIEM is possible - just turn it off ;)
Prodaft uncovers FIN7 org structure, ShinyHunters actor being extradited (and your boy bragging about being featured in WIRED), and OWASSRF deep dives
Also, please give me feedback! There’s a form at the bottom👇👇 of the newsletter. Three questions, two minutes; I’ve improved a lot of aspects of this newsletter from feedback. Thank you!
Have content to share? Could you email me?
I am always interested in looking at new content. I have plenty of Threat Landscape and am craving more “State of the Art” Detection Engineering content. Do you have thoughts on how to design a detection engineering sprint or manage a backlog? How about what tools do you use for detection engineering? Shoot me an e-mail at techy@detectionengineering.net with your link, and I’ll see if I can add it here!
Happy Hunting
🌟 Spotlight 🌟
Capturing Detection Ideas to Improve Their Impact by Florian Roth
The one thing I'll miss the most about Twitter is the amount of information that intelligence analysts, researchers, and detection engineers share for the world to use. In this timeless post by Florian Roth, he discusses a detection ideation backlog stemming from articles and social media posts. From there, ideas are prioritized, and then rules are created for his team, then shared back into the community. I hope Mastodon can fill this role as well as Twitter has over the years!
State of the Art
AWS CIRT announces the release of five publicly available workshops by Steve de Vera
AWS CIRT released a set of self-paced, real-world attack simulations using Cloudformation and AWS tooling for detection and response. I wish we could get more of this content from other Cloud Security providers, but the community fills in nicely with "Goat" projects.
Victimology Analysis and Data Leaks Site by Ohad Zaidenberg
Coming from a threat intel background, I've learned that victimology analysis is an important pillar in prioritizing threat intel products. I have seen threat intel as an input into Detection Engineering. Still, I have yet to see a threat detection thought piece (and please correct me!) on performing this specific analysis when prioritizing rules.
Finding the Gap: How Curiosity and Creativity Drive Threat Detection by Micah Babinski
You'll see a lot of Micah Babinski in this newsletter! Babinski uses inspiration from a tweet by Blue Team Thomas @TheEis4Extra to do a threat detection "workout" a few times a week. Block calendar time off to Focus and try this yourself!
Zero False Positives from your SIEM, is it possible? by Jack Naglieri
I only know one way to get 0 false positives in a SIEM: turn it off. I love this post by Naglieri because we can get so hyper-fixated on reducing false positives, and instead, we miss the goal of, well, true positives! This is the "gotcha" with statistics overall. There are many knobs to turn in a sample set, so prioritizing the right ones and attacking with a strategy is going to get your inbox to 0 false positives.
Using Shodan Images to Hunt Down Ransomware Groups by Josh Allman
Have you ever read a blog post or gone to a talk, and a technique or research seems so obvious, but you know you would have never come up with it? This post did that for me. Shodan is the gift that keeps giving - Allman uses the Shodan API to get screenshots of OpenVNC/RDP sessions where ransomware affiliates were carrying out their playbooks. After OCRing the text, you can extract known IOCs to infrastructure connected to ransomware groups and inform victims. Nice work, Josh!
Cloud Metadata - AWS IAM Credential Abuse by Mark R.
I am glad to see folks going through the AWS IR team's incident workshops and playbooks! If you haven’t seen the workshops, checkout the first link under “State of the Art”. IMDSv1 is still in use today; I chatted with someone on Monday night about switching their EC2 instances from IMDSv1 to v2. I hope Mark R. does more blog breakdowns of the other AWS incident response playgrounds.
Threat Landscape
[FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang by Prodaft
I don't usually link to reports, but this one was a fantastic read! Another note: this report does not require email signup, so Prodaft earns my respect for improving the posture of everyone by not gating content. I've always been fascinated with Russian cybercrime operations, and this report goes into excruciating detail (with detections!) on one of the OGs of cybercrime: FIN7. Check out the "Technical Analysis" section to get detection ideas around their tooling.
Developing: Moroccan court orders extradition of alleged member of ShinyHunters to U.S.
by Dissent
For those that don't remember ShinyHunters, they were a notorious data broker in the data breach scene for many years. If you got an email from HaveIBeenPwned for Tokopedia, Wishbone, Wattpad, Mashable or Bonobos, or several others, this indictment is relevant to you (And yours truly was on WIRED discussing the breaches they sold)! TL;dr Moroccan police arrested an alleged member, and now that alleged member is fighting US extradition. Fingers crossed!
Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
by Vanja Svajcer
As Microsoft begins removing support for VBA macros in Office, TALOS begins research into other vectors into office docs: add-ins! Aren't add-ins macros, but packaged nicer? This is particularly concerning because add-ins can be written in VBA, which we have a lot of tooling for, but also .NET, COM servers, or DLLs.
Phylum Discovers New Stealer Variants in Burgeoning PyPI Supply Chain Attack
by Phylum Research
Burgeoning is such a great word. Anyways, Phylum has been documenting attacks against PyPi for some months now, and it seems that stealers are targeting developers who are a) using pypi and b) probably have crypto/discord accounts to steal. Some of these malware authors are lazy and drop code directly into the main module, others like W4SP obfuscate their code and make it harder for us to analyze. Get ready to write detections not only on post-infection activity but on the source code itself!
A retrospective on public cloud breaches of 2022, with Rami McCarthy and Houston Hopkins by Christophe Tafani-Dereeper, Houston Hopkins and Rami McCarthy
Note: I work for Datadog, and I had nothing to do with this post
My colleague Christophe and two fantastic researchers, Houston Hopkins and Rami McCarthy, reviewed a number of cloud infrastructure breaches in 2022. I love seeing blog posts on vendor sites that bring in people that don't work at the vendor. Thank you, Houston and Rami!
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
by Brian Pitchford, Erik Iker and Nicolas Zilio
*Crowdstrike researchers give excruciating detail on how a combination of ProxyNotShell (CVE-2022-41040) and OWASSRF (CVE-2022-41080) is being used in the wild to get Remote Powershell access (CVE-2022-41082) on Exchange servers. The rules that Microsoft published for ProxyNotShell do not mitigate this specific vulnerability, and luckily the community got ahold of PoC code that allowed researchers to craft synthetic logs for detection. Crowdstrike also released a script to check for compromises here.
Typosquatting and malvertising are still an effective TTP for criminals. I am unsure about the blog's claim on this being a "new technique", but cloning websites and serving malware seem to be making a comeback. This actor group has resilient infrastructure to swap out sites that are taken down, as well as switching between stealers like Raccoon and Vidar.
Cloud Cred Harvesting Campaign - Grinch Edition by Ian Ahl
Publicly exposed Jupyter notebooks are just nicely formatted RCE-as-a-service for cryptominers, who knew?! I love viewing Ian's work from various communities, and I am glad that the Permiso team is publishing content like this. Data science and engineering use Jupyter notebooks (and if you scroll to open source below, a Blue team-based Jupyter notebook), so securing these deployments are important. Fun fact: Shodan says 13,263 Jupyter notebooks are exposed on the internet as of me writing this!
Open Source
Yara 101 by StrangerealIntel
I stumbled on this intro to Yara readme while doing some Yara spring/winter cleaning over break. If you haven't used Yara yet, or need a refresher on how to use it, I suggest bookmarking this guard by StrangerealIntel!
PEACH Framework by Wiz
I'm late to the party on reporting PEACH, but it's a great threat modeling framework if you or your organization is concerned about cross-tenant cloud vulnerabilities. It'll allow you to mitigate the damage done by a 0-day cross-tenant vuln (which Wiz has reported quite a few of), and can help you strategize long-term on preventing exposure.
Blue Jupyter by mttaggart
Jupyter notebooks are used by Data Science & Engineering teams, so why not security? This repo is a great introduction to using Jupyter for incident response and analysis. It has some sample data to use, and the beautiful thing about Jupyter is its ability to walk through folks viewing the individual notebook pages.
Conclusion
Thanks for reading this week’s newsletter! I’d love to get your feedback on your experience reading it.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!
Thanks for reading Detection Engineering! Subscribe for free to receive new posts and support my work.