Detection Engineering Weekly - Issue 1
Last week's news and how-tos in the art and science of Detection Engineering
TL;DR
Welcome to this experiment in newsletters! My name is Zack Allen and I currently run a Security Research & Detection Engineering organization at Datadog. My hope here is to surface to you my research and curation of Detection Engineering content so you don’t have to. I spend a lot of time building, breaking, and experimenting with methodologies in this space, and I hope you can make use of my time spent looking at this content.
I’ll experiment with formats in the first few issues, but you should see it split out by the following:
Spotlight - a spotlight blog, video, or piece of content that I think should go down as canon in Detection Engineering history, or just a blog I enjoyed reading in the past. I won’t specify :)
State of the Art - content that helps advance the Detection Engineering field, which usually contains strategies, tactics, and methodologies to help us scale our organizations. I’ll try to keep things recent here, but there’s too much good content in the past to not post
Threat Landscape - Updates on the threat landscape and how Detection Engineers can stay abreast of dirty crims and APTs
Open Source - Any interesting, new open-source tools and techniques that we can
git clone
and be on our merry way, free from marketers and salespeople
I am thinking of adding or removing sections, so please provide me feedback if you think I can improve. I’ll also attach a short form with 3 questions at the end of these newsletters so I can improve quickly and without taking up your time.
🌟 Spotlight 🌟
Detection Development Lifecycle by Haider Dost
I’ve been following Haider’s Medium site for a while now, and I think he does a great job explaining the strategy behind Detection Engineering rather than individual tactics. I’ve referred a number of colleagues to this post. Datadog’s Detection Engineering team has something very similar to the SDLC mentioned in Haider’s post.
State of the Art
Catching a Wev(tutil): Threat Detection for the Rest of Us by Micah Babinski
This a great article that talks about the strategy behind Detection Engineering and applies it to a threat detection use case of Hive Ransomware. You should pay particular attention to the “The Importance of Repeatability” section.
MITRE ATT&CK coverage assessment - how to document progress and store data by reddit user Neur0m
Sometimes following a conversation on a forum, where differing views are expressed, can give you insight into the state of the art. This is a good discussion around detecting Hive Ransomware (Hive is hot this week with the CISA announcement) in an environment.
Detection notes: In-memory Office application token theft by Anton Ovrutsky
Sumologic’s Threat Labs goes over Detection opportunities with malware that focuses on stealing secrets and tokens in Office applications. As someone who chases stealer malware (Raccoon et al) professionally and in his off time (what the hell is wrong with me), this is a great overview on how secrets and tokens are lifted from Office applications.
Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms by BushidoToken aka Will
BushidoToken blogs are always excellent because he balances novel threat detection research with using open source and/or free accounts. I’ve used many of the techniques listed in this blog for phishing research, but since infostealers are getting more and more common, there’s a natural progression for using similar techniques to find C2s.
Threat Landscape
Alert (AA22-321A) #StopRansomware: Hive Ransomware by CISA
This has been the talk of the town in the last week or so. Updates from CISA on Hive’s TTPs from reconnaissance to ransoming an organization.
5.4 million Twitter users' stolen data leaked online — more shared privately by Lawrence Abrams
To be specific - leaked online here means “shared for free”. Breached Forums, a spinoff of RaidForums, had a post that leaked a number of these rows free for members. As someone who has chased breaches professionally for years, this is one that can be an absolute nothingburger (who cares about MY Twitter?) to something much more serious due to the implications of email PLUS phone numbers being leaked. SIM swappers and crypto thieves will use this as a targeting list since many of their victims are those in the crypto space and like to talk about it.
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice by Alexander Rausch and the Proofpoint Threat Research Team
I love using Cobalt Strike. I hate detecting and kicking out Cobalt Strike infections. Want to know what makes this worse? A Cobalt Strike competitor. Proofpoint did a fantastic job detailing Nighthawk, a pentest tool that absolutely is meant for professional and educational purposes only totally-will-not-be-cracked-and-shared-on-Exploit.in-in-1-year. With this development as well as Brute Ratel being cracked and shared, I expect a lot more time will be spent by people in our profession finding and tracking the peculiarities of these different pentest tools for years to come.
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware by the DFIR Report
Great post by DFIR report going over an intrusion they worked on related to Emotet. They have fantastic writeups so I recommend subscribing to their posts. My favorite part about this post, and many of their other ones, is the intrusion timelines. I think we could be better at telling stories in Detection Engineering by being more visual.
Intelligence Insights: November 2022 by Red Canary
Red Canary has a monthly dump of most seen infections and changes in TTPs from those infections in their MDR platform. QBot is still dominating and finding lots of success with delivering malicious ISO files that drop malicious JS payloads. Update your detections! :)
Open Source
Sigstore the Easy Way by Rewanth Tammana
MKdocs sites are a fantastic way to convey information quickly without worrying too much about usability or style. I read the recently published Sigstore paper from ACM and it looks like it will be something many Detection Engineers will work on within the next few years. Imagine Certificate Transparency Log/Let’s Encrypt meets Software Artifacts.
Chronicle Detection Rules by Chronicle
This repo was recently added to the awesome-detection-engineering README. It’s great to see companies open up their detection ruleset, and as someone who works at a cloud security company, even better as it serves as a great inspiration for our rulesets.
Conclusion
Thanks for reading this week’s newsletter! As I am starting out, I’d love to get your feedback.
If you can take 2 mins to answer 3 questions in the following Google Form (feedback is anonymous) to improve this newsletter, I’d be extremely grateful!