DETECTIONEERING

What is Detection Engineering?

Thu, 01 Feb 2024 00:00:00 +0000

I feel that at times in our industry, we hyperfocus on the technical competencies as differentiators to our tradecraft or the methods we employ which create and define our roles. While often this is fine and expected, the issue is we fail to identify and communicate the nuance or challenge of a role because we distilled it into our own set of tactics, techniques, and procedures (TTPs). We’ve lost some of the human elements that make our roles unique and worth pursuing.

I hope this post can fill in some of this nuance and how we as practitioners, as humans, are attempting to understand, respond, and most importantly, maintain the efficacy of our work product; rules, detectors, signals etc.

Like Shooting Fish In A Barrel

Sometimes I wish I had a barrel with fish, but the ease of catching those fish would frankly be too boring. I like to think of Detection Engineering or whatever you want to call it, a lot like being a netmaker, or someone who makes nets for the purpose of…catching fish.

It is our job to find and catch fish, but not just any fish. We must catch invasive species of fish. Fish that upset normal order and flow and even in extreme cases, alter the ecosystem permanently. The challenge we face is that invasive species of fish can quickly propagate and adapt to new environments. They can be similar in appearance and even behavior to that of benign fish with only small and nearly indistinguishable differences to tell them apart.

Just Make Nets, It’s Easy

True, the act of crafting and testing a net isn’t the hardest part of the job. Real net making is becoming a lost craft due to outsourced large-scale manufacturing. Just the same, our detection nets can be automated in part or whole depending on the type of detection, I mean, the net you wish to deploy in your ecosystem.

But therein lies the real challenge. These nets are used by people to catch fish. Sometimes we catch the invasive fish we intend to and sometimes we don’t. Perhaps it adapted and learned how to get out of the net? Maybe the net was the wrong type to use? What if the fish aren’t even in the environment?

At all times, netmakers must reliably respond to deviations of invasive fish behavior and change in the environment in which we expect to go fishing. At times I’m bewildered that some fish don’t even know what the Windows API is apparently and choose to do everything in janky command execution! Stares at annoying RMM fish bycatch with intensity.

The reality is that making nets IS easy, catching the right fish consistently IS hard.

Swim With The Fishes

Net Making is not always about responding to feedback about our nets, sometimes we may not have any feedback and need to be proactive about what nets are even worth making.

Depending on where the netmaker works, they may need to participate in active field research. This means diving in and observing the behaviors and the environment first hand to include learning from others in the field and consuming the latest information on fish observables. From this knowledge, we can begin to assess and understand changes in fish behaviors, new fish sightings, and begin to hypothesize what we can do about it.

Differing Appetites

Not everyone eats fish, some fish only live and invade certain types of ecosystems, some invasive fish are impossible to distinguish with a net. With these realities, it is almost unsurprising that what is considered invasive or malicious to one ecosystem, is hardly a reason for concern in another. Understanding your ecosystem is critical for determining which nets to deploy and which invasive fish you should or can attempt to catch.

Ultimately, we have to realize that we won’t always have the right net, but we can get damn good with the ones we do have.

And…sometimes you just have a shitty boat.

Formulating a Hypothesis

Sat, 08 Jul 2023 00:00:00 +0000

When beginning the journey of looking at your security program, its preventative security controls and the gaps that inherently reside in between our layered security approach - we may ask ourselves: “where do I even begin”…or, is that just me?

glances at the dictionary…

A hypothesis is a supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation.

We have to start somewhere

To me, that means I should work on drafting a statement based upon initial observations or a limited understanding of something. What’s key here is that a good hypothesis should be stated in a way where there is a clear outcome that can be tested.

I want to further point out that the provided definition of a hypothesis specifically used the term evidence. Without evidence we’re working with bias, which is not the way to go. All I’m saying here is that it’s easy to look at an observation and draw a conclusion. Evidence and fact are what matter.

The fabrication of understanding beyond the scope of available evidence is a biased perception of reality.

Therein lies the whole point of a hypothesis. To create a supposition with the explicit understanding that we DO NOT know the whole truth.

The pursuit of truth is the scientific method which has made the hypothesis a tool for continual discovery, verification, and knowledge alignment. Egos need not apply.

Is success proving or disproving a hypothesis? YES!

While I understand that our education system has led us into valuing positive results over negative results - however, the whole point of a hypothesis is to evaluate if the supposition is either true or false. Both outcomes are good, one just requires a little more work…

True, and we’ve proven that the observation and our understanding of the cause/effect were correct. Before we start passing out high-fives, we should spend time evaluating the potential for the infusion of bias in our testing process. Our brains are engineered to make sense of and find answers - bias is a human condition that we must be aware of to combat.

False, and we’ve proven that we were incorrect. Dust yourself off and know that you’ve proven one method in which your hypothesis is not true. Apply the new knowledge, adjust, test, and repeat.

There are two possible outcomes: if the result confirms the hypothesis, then you’ve made a measurement. If the result is contrary to the hypothesis, then you’ve made a discovery. Enrico Fermi

Scope, the ruiner of fun…

I personally love to dig into interesting things and “follow rabbit holes” but this isn’t an efficient use of my time in systematically finding truths, closing knowledge gaps and hopefully solving problems.

When creating a hypothesis, we must consider the scope of what that hypothesis entails. We have to consider the realities of our time, resources, skill, knowledge, availability of tools and methods to test our hypothesis. We’re still proving Einstein’s theories correct in 2023. It can take a frustrating amount of time for the right elements to come together for a hypothesis to be tested.

If I were to suppose a threat actor is using a known LOLBAS technique across our estate of endpoints - what would shape the scope of this hypothesis?

Limited access to endpoints?
Difficulty of collecting data to even begin the test?
Available time to test the hypothesis i.e. business needs, business value etc.

None, some, maybe all of them? If given unlimited time and resources, what might we accomplish? Unfortunately, this isn’t realistic for nearly all of us. Something about an elephant and small bites is appropriate here.

I call BS, where’s the examples?

I hear you, a lack of examples bothers me too, but for this one, I think you have to go it alone.

I firmly believe it’s the journey that provides the most value here. Yes, you may make a terrible hypothesis, but that pain of attempting to test a shitty hypothesis is the kind of real-world feedback needed to ultimately correct yourself and reinforce good habits.

Again, remember that we’re naturally injecting bias in our processes as we yearn to make sense of the things we don’t quickly understand. We need to go through the motions of evaluating, testing, and yes, being disappointed with the outcomes so that we can improve.

Attitude, disposition, and willingness to be okay with being wrong are key attributes to honing and applying the scientific method to the challenges you face.

Don't Fall Victim To Poor OPSEC

Tue, 28 Mar 2023 00:00:00 +0000

OPSEC or Operational Security, is a concept and doctrine borrowed from the military that is used to protect the assets, plans, and movements counter to that of our adversaries. It’s amazing what can be pieced together with a few bits of information.

Within the last 24-48 hours a fervor of activity was kicked off across both vendor and organizational security teams due to the likelihood of a large-scale supply-chain attack underway. The first public details of the attack were shared by the folks at CrowdStrike and within the blog post: CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign.

So, what’s the big deal?

TL;DR the 3CX desktop application utilized by millions of users appears to be compromised and is being used by possible nation state threat actors. Further details on how, why, and what they are doing with the compromised applications are still being researched.

Update (3/30/23) Huntress Labs released a blog with technical and behavioral insights on the threat actor’s capability and use of 3CXDesktopApp.exe: 3CX VoIP Software Compromise & Supply Chain Threats.

3CX is an international Voice Over IP (VoIP) Private Branch Exchange (PBX). Simply put, they route a great deal of voice communications and are one if not the largest operator of this type with over 12 million users across 600+ thousand companies!

Circling back, if you look into additional blogs posted on this threat (as of 3/29/23), you’ll note that there isn’t a great deal of insights into the attack vectors, commands, and actions-on-objectives publicly shared. This likely alludes to how the industry was caught off guard by the attack and further highlights how hard it is to detect evil within trusted and signed applications.

Isn’t this post about OPSEC?

Yes, it is, and it relates to the above referenced incident. Currently, one of the earliest and highest quality atomic indicators shared were that of observed Command and Control (C2) domains. These domains were seen in communication with compromised/malicious installations of the 3CXDesktopapp.exe.

So, what do you think happens when you share a list of malicious domains associated with a suspected supply-chain attack which are reviewed by 100s of thousands of businesses using 3CX software? If you said ping and tracert/traceroute commands, then you’d be correct! Post compromise review of this attack showed many customers attempting to reach out via those network troubleshooting tools essentially flagging themselves to the adversary network.

The Do’s and Don’ts

What we have here is a clear case of signaling, or the act of transmitting awareness of an operation to an adversary. While we certainly wouldn’t want to do this during a confirmed incident in an organization - we definitely don’t want to provide further awareness to the adversary of organizations that might be vulnerable to their capabilities. Particularly because this threat is not fully understood and there are no public mentions (that I’ve seen) that discusses how organizations are targeted and compromised.

Be careful out there!

If you really need to, utilize an air-gapped network prior to reaching out to malicious infrastructure.
Utilize a virtual machine (VM) that does not look, behave, or have shared configuration or settings to that of your production network environment.
Make use of a VPN to obfuscate your location ensuring you do not associate your production network with this research and investigation.
If you’re testing firewall rules and need to ping the domain, try to virtualize or move your firewall or network control to the air-gapped network for testing prior to relying on it in production.

Detection Opportunities

Expect a lot to change with associated detection content publicly shared as our understanding of the threat unfolds.

SigmaHQ/sigma Rules: 3CX Rules (3/29/23)

As discussed above, the only consideration beyond the lack of insight into the threat is that these rules will generate false positives for benign apps making connections to the domains such as ping or traceroute. That should be manageable as we would not expect widespread benign connections to these domains.

Some considerations for triage and analysis:

Verify what application is making these outbound connections.
Do you have detections associated with publicly shared binary hashes? Are they also associated with detected network comms?
Be aware of legitimate use of ping and other command utilities making connections to these shared domains. Is this an admin or just an interested user?
If available, keep an eye on detected process lineage and their relationships to 3CX software to determine the likelihood of risk tied to associated detections and events.

Detectioneering, a gerund!

Tue, 28 Mar 2023 00:00:00 +0000

A what you ask? A gerund, yes that’s a thing.

A gerund is a verb form that ends in -ing and functions as a noun in a sentence. It is derived from a verb but serves as a different part of speech. Gerunds can be used as subjects, objects, or complements in a sentence.

With that explanation out of the way (thanks ChatGPT), Detectioneering in my humble opinion stands for and represents the action or process of detecting cyber threats and applying techniques such as Detection Engineering, Threat Hunting, Threat Intelligence, and Adversary Emulation.

It’s the cross section of knowledge, skills, and abilities that represent both the art and science of detecting threats. While detection engineering can be dismissively reduced to simplistic query jockeying; I hope to use this blog to dive into the complex relationship of these tradecrafts and both the external and internal dynamics that can shape and mature a Detectioneering capability to, you know, detect threats.

I hope to keep these posts concise while I attempt to cover the wide range of topics that can fall within Detectioneering and most importantly, engage and learn along the way with you.