← All talks

The Process of Detection Engineering1

BSides Tampa46:48281 viewsPublished 2023-03Watch on YouTube ↗
Tags
CategoryTechnical
DifficultyIntermediary
TeamBlue
StyleTalk
Mentioned in this talk
Tools used
Invoke-Obfuscationmimikatz
Frameworks
MITRE ATT&CK Framework
Languages
PowerShell
Concepts
Sigma rules
Show transcript [en]

hello everyone thank you for joining us at b-sides tampa 2022 i am excited to introduce our next speaker christopher peacock he will be giving a presentation on the process of detection engineering here's just a few of his many experiences cyber threat intelligence analyst cyber threat hunter tier three sock analyst incident responser he also has experience in multiple industries and energy finance health corp healthcare technology and defense please welcome christopher peacock thank you for that introduction really appreciate it thank y'all for being here let's see if we got slides up okay there we go thank you all again for getting that set up really doing a great job today guys um so the process of detection engineering

first off who am i i'm christopher peacock i started my journey at alpha 2 where i did help desk network administration system administration that whole jazz i worked up i went to general dynamics where i started working um as a sock analyst and conducting purple team back in that time you know powershell was just coming out as something that was like really used by pin testers and also adversaries but we didn't really have edr's yet so it was how to you know go out and enable the powershell logging around that uh from there i went to raytheon where i did intelligence i did incident responder sock 3 led the threat hunt team which is now

more kind of what has become detection engineering right we've the threat hunts at the end of the day you end up with a query that you can actually deploy as an alert so it's kind of like an automated threat hunting or detection engineering however you want to label it multiple ways to call it but that's what it is and then now i'm at scythe where i do adversary emulation and detection engineering so that's actually going out finding what bad guys are doing extracting those procedures you know we're getting down to procedure level in the ttp phrase uh and then we work on doing detection engineering so we map those to sigma so that you can deploy them

wherever you need to or we create sigma rules and contribute that uh to the community so one of the goals of this is to find suspicious activity and one of the areas that we like to focus on is post delivery you know reconnaissance that's where someone's scanning things like that you're not going to get really good return on investment there delivery and exploitation we're really uh relying on our vendors you know we're relying on our firewall our waff relying on the email gateway things like that and then once we get to installation and command and control actions on objectives that's where we want to catch them before impact you know ransomware isn't click and spread everywhere that

was one of cry that happened once but most of the time they're actually going through a whole chain attack chain in the environment and you can actually catch them pretty early before they get to impact so that's what we're about we're about catching those adversaries early before impact what are the strategic drivers of this so when we look across the strategic drivers of this we have two of the foundation uh which makes the base here so we have the operational uh capability or capacity and that's you know how the analyst can work with the data and then we have the data collection so those two things are the foundation but then when we add threat

understanding to it that's what involves us into being a threat informed threat hunter or detection engineer so with data collection we need to understand what data are we collecting and then from there we can you know figure out where we can do analysis on if we don't connect or if we don't collect name pipe then we're not going to be able to do detections around that we have to understand our gaps and what we're collecting and then finally where is it collected oftentimes with an edr you have the data in the edr and it might only send alerts to the sim and the sims when they get in alerts so you can't do your detection

engineering in the sim you have to go to the edr so we have to understand that and then finally we need to know how we prioritize our data so one way we can prioritize our data is actually understanding what data sources are applicable to the most techniques and sub techniques so here we see command execution process creation file modification those are all very important data sources to cover the attack matrix and then the other one is the operational capacity and this is just understanding that we need good tools and we need good analysts to work together that's really what it's about if you have a tool or it's spread across multiple tools it's going to slow your analysts down the

other thing to take into consideration is the time factor and that's the thing is when we have inefficient tools or it takes too long for us to run queries it's going to slow us down as detection engineers or threat hunters and then finally we have threat understanding and this is where that cti bit comes in of knowing what goes um what's going on in the threat landscape what actors are doing against us our org if i'm uh elementary school i don't really care what north korea is doing to south korea that's not my threat profile i need to go out and study what ransomware actors are doing and then we want to focus on the procedure we don't want to focus on

the technique level because if someone tells me that they dumped lsas i don't know how they dumped l-sas so i can go out and i can grab an atomic red team test which is great but i don't know if that actually aligns with what my adversaries are doing at the time and then we also don't want to focus on iocs or threat feeds because these change very often so the process looks something like this where we get direction from the cti we know what's happening in our space we do our collection after our direction also direction hopefully includes some sort of purple team exercise uh so that you actually have those um that data in your

production environment you want to see what it would look like in your environment so that you can also test do we have alerts around it or do we not and then we do our collection and then our processing and finally we disseminate it back out to sock and our stakeholders so cyber threat intelligence this is a big area i've heard multiple times people say i pipe my threat intelligence right into my sim i'm like really because threat intelligence is very hard um so one thing to think about is iocs are not threat intelligence what we're talking about with threat intelligence is actually understanding who's going to attack us who's in our threat landscape and then what those threat actors are

doing at a procedure level okay and why we do this is because the procedures that are ran adversaries have habits they have training they have tools they also um have guides if you haven't seen the kanti playbook literally it tells them step by step of what to run and like every time there's a conte incident they're doing nl tests net all these different stuff so you can catch them early um but yeah you can check out the guide it's awesome just from an intel standpoint to actually see it and lining up with things like the d4 report which is a great resource to have and i think i went out of there we go so direction we have that cti we

understand what our adversaries are doing at a procedure level and then we say do i have detections already because we need to actually emulate those procedures so we can see if we have detections or not and then from there we need to figure out how to catch it but first we'll go ahead and run it so in this example we'll go ahead and run the procedure and see if we catch it or not and that's how we get direction is actually running those procedures and this is what it looks like at the end for the direction side where we've put together a plan of what the adversary is doing at procedures level we've mapped it to

alerts and then we see where we have uh alerting gaps as well so that we can work on doing engineering around those next we have collection so with collection we want to go ahead and start seeing what we have in our events we want to see what's actually in our data sources and with this we can go and we can leverage detect to actually map out our data sources to see where the detections might be and then we also want to identify and catalog any visibility gaps so like i said before lots of edr's they won't actually log the pipe names creation so you can't do certain detections around that and as we look and we start

understanding the data we can start hypothesizing so here this is one way that we can map this if you're new to it where you go to the miter attack page and we see that power shell it's going to have they call these detections but it's really like log sources so we see that there's a source of process and we see that there's a component of process creation and so you can go to any of the technique pages once you have your procedure you map that procedure to the technique and you can figure out your data sources needed the problem is is attack ends here and you have to figure out what your actual event logs are in your environment

and the way you do that is you leverage detect so with detect you can add your data sources in so here we have process creation and i can see my products of where that actually resides and then i can quantify my data quality in there and this is what it looks like you know cisos like love this type of overview it shows actually where we have visibility into certain data collections this isn't to be construed as actual coverage from an alerting standpoint or a response standpoint but this is actually a good way to show where we have detect not detection gaps with logging gaps so hypothesizing this is where we've started analyzing our data and we need to look at ways

of doing the actual alert engineering so we start out we cast a wide net because we want to get as much malicious activity that we can and then we start tuning that out and then we narrow it down and we want limited false positives if we deploy a lot of false positives then we're going to be in trouble our sock's not going to be able to actually respond to that alert and then from there we also want to embrace so that we're going to have a few false positives because a lot of what we're looking at is looking at living off the land techniques which are using things built into windows so we want to find suspicious activity

and it might get flagged by a system administrator or something like that so developing a hypothesis kind of looks like this where we actually have uh microsoft delivers threat actor uh targeting solarwinds with a zero-day exploit so with this we see that we have the mshta application making a call out to a public ip address so we can start saying if we know what mshta does in our environment does it normally connect outbound or not so we can start thinking about is that a detection opportunity we also see who am i execution so we can start thinking like do we need to catch that we also see a couple things that we'll go over when of how we ask

more questions to start developing our hypothesis or our search query so one of the things we want to consider is when we're looking at a procedure is what is the procedure doing and how is it made or what makes it malicious how is it used maliciously what's the threat actor really doing here so what that looks like here is we see that command prompt is launching who am i they're enumerating what they're running as and then they're piping it out to a text file so now we know what the adversary is doing and then we can say well you know what do what do our system administrators do or what does our help desk do is our helped us actually pipe

out who am i to a text file and we can start thinking about ways of hypothesizing around that and then the other thing is when we start hypothesizing we look at how often does this happen in normal operations so in my environment how often does cmd launch who am i or like we said before how often are they actually piping it out that redirector is not very common for who am i in most environments if we're at a small company you know a few hundred workstations no one may even use who am i so that's another thing to consider as well so these are just things that we're starting to try to baseline in our environment

and then we look at are there parent processes so when we look at the cmd process chain that spawns off we can look at what actually started this process and once we understand what starts this process in our environment we can tune it out potentially or we can look at how often does cmd launch who am i you know maybe who am i my environment launches but it only launches from a you know a different process so i just tune that out and i flag on any who am i execution because that's one of the first things attackers do when they get on host they want to know who they're operating as and then we can also look at are there

common child processes so what we have here is just a common parent-child relationship well not a common but a commonly malicious one uh where one word is spawning command so that's one that we can tune into we can look for you know rare processes coming off of one word that attackers are using such as command prompt or power shell or run dll things like this we also see excel spawning run dll32 so these are things that we can start looking to as we do threat hunting and detection engineering is what are the child processes that i can tune into or out of uh if you want to catch you know an apache zero day like

probably nine times out of ten the apache exe process is going to have some sort of scripting interpreter off of it such as power shell spawning off that apache process because the attacker needs to run commands so the other thing we need to look at is command line parameters often when we're trying to do tuning we're looking at a certain process that's used across the network because it's living off the land uh binaries and scripts and if you're unfamiliar with that that's just common applications that are built in to windows or there are other windows executables that attackers can bring in so we need to look at what are suspicious command line parameters around those

and then we can tune into those potentially like in this case or potentially if i'm looking at one setup with an application and one process or multiple processes keep having the same line the same command line parameter i can tune that out as well and then the other thing we want to look into is the users so a lot of times you know certain processes might run a system so if those processes are running as something that's not a system then that's interesting or if they're running as you know a typical user and they're not supposed to usually run as a typical user that's interesting so we can look at that the other area of

suspicious users is we can say all right for who am i that's typical for help desk to execute but should someone in hr probably be executing who am i let alone should someone in hr probably be launching a command prompt that's probably a little suspicious because i don't know too many people outside of it who launch command prompts and then finally we also look at does the process make network connections this is a huge one um for almost anything inside to see windows folder path if it's going outbound you probably need to start baselining that and look for suspicious activity but in this example we see where powershell is going outbound so that's just an example where what we

want to do is we want to baseline does this process does it call locally to localhost is that common sometimes you'll have certain processes where they don't call local host and you need to start flagging if they do call a local host or we look at private ip spaces and say this process only should talk to private ip spaces you know in our land but it shouldn't call outbound so that's another area that we can look at and then finally you know external ips so we need to start understanding what this process communicates to on a common basis so that we then can flag when it's suspicious and what this looks like it looks like

when we're tuning is we cast the wide net first so we cast the net and we usually get a bunch of benign events and that's where we start and that's what casting a wide net kind of looks like in a visual reference and our goal is to get down to this aspect where we have a few benign events and we get most of the malicious events and the way we do this though is through testing and we start seeing a bunch of different ways that the attackers are using those tools um you know run dll-32 things like this we're starting to get a bunch of data generated around that and that's why we want to do emulation uh in

our environment in our production environment to actually verify our detections and if we need to change them one thing we like to talk about too is don't go too small or too precise if you go too precise then you end up with something like this where you're actually missing a lot of the malicious events and if you do this it's just it's not good because you're missing the bulk of the events that the rule could be covering and what this does is it either allows you to miss alerts that you should have had or it means that you're gonna have to create a bunch of different layered alerts and then you just have a lot of alerts and that slows

down the systems one thing we also want to mention is that uh with the the nature of finding suspicious activity sometimes when you actually go out there and you look at it in your environment you might think yeah i'm gonna catch this one guy and then you realize that you have a bunch of benign events that come along with it so i just want to say not every procedure that a adversary uses is going to be a good detection opportunity sometimes you just don't have a good detection opportunity and you have to accept that but at the end of the day we wanted enough lasers in our vault scanning everywhere so that when you know a hacker comes in they trip one of

those lasers so a quick example of this is the uh tuning of wmak so in our environment we went out and we looked for wmak it's a common uh living off the land binary and script built into windows and what we have here is we look for the parent processes that were spawning it and as you see we have an amazon agent that's uh spawning it a bunch but then i have my scythe emulation campaigns and a powershell that came off of one of them those were also spawning it so this is a quick win in an environment where i can just go out i can look for wmic should it be spawn in my environment

okay it's spawned by this we tuned that out and now we're already finding suspicious activity so that's a perfect example right there and then we get to dissemination as well and with dissemination we're delivering to the stakeholders and this could be delivering to sock obviously in the form of an alert if we did good threat hunting we have a tuned alert at the end of it that we can deliver to sock and now we can go threat hunt on something else instead of having to threat hunt on the same thing you know month after month and then one of the other things we want to do is maybe we give it to management and one of the things we give to

management is you know we can take our developed alerts we can map them to mitre and we can throw it up on a graph for them so that's one thing to think about as well and we can also give it to the cti team then we can also document log sources so we know what tools are giving us the most value and then finally this is always a circle that's ever continuing because uh you know adversaries are always updating their procedures and then also if you have a red team you can tell the red team that hey we have this this rule now or we put a block in place or whatever it is and we want to know hey red team

what would you do to bypass this or how would an adversary potentially get around this so it wouldn't flag in our environment and then the red team can say well you know instead of running who am i we'll we'll just enumerate this uh environment variable instead and then you have to go and you have to do detection on that so that's what it looks like from the dissemination standpoint and with the red team kind of if you have that implementing it back so that you're constantly doing that cat and mouse game and hardening your environment with detections and then we also have the dissemination structure by palantir they have the ads framework it's a great

in-depth framework but being palantir they are a defense contractor and they have lots of resources and they have a huge team so i want to say that you don't have to go out and do this to the t some people they're like oh i need to do the full framework and i'm here to tell you you don't need to do the full framework but do what works for your environment i recommend going and checking it out take what you need what fits into your environment and then from there you can actually implement what you need to implement so let me bounce back because i've actually skipped a few slides i did this in google docs and then exported and i

think when my uh ah so it's just blank all right well then i'll just talk manually to it so for those of you unaware by the way of the david bianco's pyramid of pain um dave bianco came out this was after manning an apt-1 report the apt-1 report really changed the industry it was the first time that we said hey it's not just malware it's not just malware's bad cleanup malware we went out and we actually saw that there's adversaries behind here there's actually procedures that they do so what david bianco said is hey the ip address they can change that really quickly i don't know if any of y'all were in the talk earlier uh

john though is talking about how you can just script out infrastructure as code so adversaries can literally spin up and and then move ips constantly and then every time they do a new payload then it can be a new hash so when we're trying to look at these ioc feeds what we're looking at is just old uh artifacts left behind by an actor so ioc's uh you know those hashes and stuff those are good checks to make sure that none of that stuff was in our environment as far as cross-referencing but what we really need to get to is as you move up david bianco's pyramid of pain he gets to tools and tools are good

because we want to catch something like mimi cats right because it's used everywhere and people change the hash though on it constantly so if you're trying to catch the hash you're not doing a great job but you need to be able to catch mimikat the tool uh or maybe kittens or memory dogs or whatever they name it that's where we get to tools and we need to catch that and then finally when we move to the top at the time i believe this was like 2013 he had the ttps at the top and with cyber threat intelligence with the ttps everyone's kind of lumping that together to say that the adversary did this ttp in this ttp

so when we see it though when we look at the actual technique it might be credential access so if i communicate to y'all as a group and i say hey uh purple unicorn yesterday did credential access how are you gonna go out and make sure that you're secure from that fuzz or from that purple unicorn dump you know with credential access you don't know how to test that so then we also had the technique level where we say okay purple unicorn dumped lsas that's how they got credential access but we still don't know how they actually dumped lsas so this is like where i say if you're familiar with the um shit's creek uh like i've seen where they're going how

do i fold the cheese it's how do i fold the cheese because at the end of the day if you told me that they dumped else as i don't know how they did they use mimikats did they use proc dump did they do it any of the other 20 ways did they come up with a new and novel way of dumping lsas i need to know so that i can actually replicate that in my environment so the other thing that we need to know is so after david bianco published this after apt-1 report it wasn't until like three or four years later that attack came out and everyone's trying to map stuff to attack now

and with that what we have to do is we have to understand what attack was meant for it was meant to communicate it was meant so that i could go out and i could i could do a report and tell you what happened in my environment without handing over every single command line procedure that the adversary did so attack was meant to take that tag that and then communicate it out to the masses that's what attack was meant for but now you know it's kind of like the frank's red hot sauce everyone's putting an attack on everything which i you know i love the attack team they're great but sometimes some things attack works for

some things it doesn't so what we're really trying to do and what i'm trying to say is you need to get down to that procedure level of what the adversary is doing if you're not doing that you're not having threat and form detections so we need to go out if you are getting you can have this from multiple sources too if you're ransomware the d4 report does a great job on opportunity uh adversaries you know they take malware they detonate it they look at what they're doing in their environment at the procedure level they tell you every single procedure so then you can run that in your environment and then you can do your detection engineering on it

and that's really what the whole process comes down to is starting out figuring what the adversary is doing because they have those habits i don't know if i've actually said um yet because i'm trying not to but i have a habit of saying i'm on stage so if you were to do something you're like out of all the speakers here that one's probably chris cause they said um 20 times but i have habits everyone has habits you know or they have training as well if you are going to a nation state uh to do hacking guess what you're going to get training and i'm going to tell you they don't change training that often because they

have to be able to push people through so the training is going to be similar you know a lot of three-letter agencies send um send their students or their their employees through sands so a lot of them are getting sans training which is going to be the same training over and over again by the way shout out to george i'm not trying to uh badmouth sans he's probably on the discord saying something right now but george is my boss he's a good guy excellent guy and i thank him for this opportunity to be up here and talking to y'all because raytheon i don't believe would let me do this unless i jump through like four hoops and spun plates

on my head so just getting down to this procedure level is what we're after and that's what's going to drive detection engineering and that's what's going to make us threaten formed so that's pretty much the whole talk uh and then we'll open it up to questions now i kind of rush through because i do want to make sure we have enough time for uh for questions but just to tie it off i do want you all to have some happy hunting and i hope you all actually go out and find good cyber threat intelligence understand that adversary what they're doing in your environment or what they would do in your environment potentially run that in your environment

and then start doing detections around that so any questions yes

risk-based alerting so it kind of just depends right i don't think i've ever seen like where like wrist space is necessarily like um how do i put this i've never seen it where like it works well right because so if i go out and i say all right i'm going to quantify this risk of this alert really high because it's on a domain controller all right well so if i have mimi cats on the domain controller i just got a high alert hopefully um because i have a high asset and i have a high fidelity alert probably of very malicious activity so now i have a high alert but sorry about that the issue is

well what happened when the way the actor got in who got to the domain controller and put mimi cats on there what happened to that low level informational alert in hr that was ranked low so that's one of those things where to me tuning an environment and being able to respond to every alert that's the that's the idea um is it achievable in every environment no i mean some environments it's very difficult to do that but yeah risk based it's one of those things i haven't seen it work well yet and like i said because of mimikat's guitar domain controller and it's high alert but we missed all these other alerts of how they loudly

move there the other thing that i like to talk about with detection engineering that i think that our detection engineers need to know about is being able to document what's going on in the alert so and what the response is so like if you have many cats on a domain controller and the sock analyst goes in and they say we removed mimikats from the domain controller we did an av scan and it's clean closing case well what you have to know is is that means that there's still an adversary with active c2 somewhere in there they actually didn't do the response well so when you're doing purple teaming you need to also audit that response

to make sure we're getting the appropriate response one of the most common ways for threat actors right now to get command and control up and running from you know most of these phishing campaigns they're using something where they like inject either either the initial uh trojan or afterwards when they drop cobalt strike it'll go in to run dll32 so one of the areas that we're running into issues is you see where an analyst will say run dll32 alerted and we have the alert and this is why you don't stop when you're purple teaming you don't stop at the alert you need to get to the next level and test the human response because if i put my shell and run dll-32

and it's calling out bound that's that's great for me i'm hiding right there and then the analysts will go in and then they'll take the hash of the run dll32 process and then they'll also say that it's microsoft signed and then they'll close the case saying that it's a false positive so this is one of those areas where if you're a red teamer you know try to help guide people through the whole process of look we need alerts we need to test the response to it and then where we don't have alerts we need to gain alerts and then we need to test the response to those we need to constantly be hardening and scrimmaging against ourselves

so that when the adversary shows up we're ready and we're going to win thank you any other questions yeah what's up

parent process id yeah so for those online the question was do we ever run into uh parent process id spoofing um i don't believe i ran into it in the wild but there are detections around that and it also it also depends like how it's done too but that's one of those things where you know you can do it it is a technique but that's where we want to go in and we want to see the actual process that was done replicate that whatever the adversary is doing what how they're actually doing it and test it in our environment and test it against our tools does that make sense so like with any technique there's so

many different procedures so you'd have to look at the specific procedure and how it's doing but yeah uh definitely you should be hunting for that any other questions

so for those online the question was how often should we be testing the rules or content now this is one of those things where you could have a test after every change management so if you change your rules one of the things that people are pushing right now is detection is code so every time you you know change your code then you want new detection tests you could do you know something where you're looking at a monthly test of what you're actually seeing in your environment or from your adversaries one of the best areas to get your best cti is to go out and look at all your uh blocked emails and any of your

emails that actually got through that we're fishing and then studying that whole chain of what it looks like from the user click it might be you know an iso file that then launches like a dot bat file that then launches this doing that and instead of launching that actual process in your environ or that actual malicious activity in your environment figure out a way to emulate that in your environment and then see what would happen like okay we know we knew that this came in five users got it and we removed it from their inbox no one ever clicked it but do you know that you have if someone does click it and you don't get an alert

do you have those capabilities after that click to start catching that chain so that's one area that we look yeah at um i just want to like get back to your smiley face diagram um so obviously um we have like really good rules that um

and so what is your approach um on both sides that we

so the question was is what do you do to an alert to make it higher fidelity so you have to understand two concepts and one concept is if i have it nope on here is recall so recall and this is pivoting from what mitre has done with a bunch of their reach research and they look at it more from a very advanced data science aspect is recall is how much of the malicious activity do i actually detect so that's one area but with that too you have to identify potential unknowns right or consider potential unknowns in your detection and then the other area is precision because we don't want benign events so it's trying to balance those two out

that we get something like this where we're going for the most recall we can and then we're also trying to balance out precision and not have a lot of false positives uh but the way to do this the best way is to run a bunch of different procedures for whatever you're trying to detect so if you're trying to detect like encoded power shell you know maybe you want to do a base64 encoded powershell and then maybe you're still looking at powershell so you want to do something like invoke obfuscation powershell so you want to start looking at different things like that to see how your detections can be expanded or if you have to go into new

detections um but obviously and i'm doing the um thing again once again people have patterns this is why we go out and we look at the patterns that they're doing yeah what's a broad up scope of detect protection not to miss anything while managing is there a balance of creating a broad enough scope detection not to miss anything while managing alert fatigue okay so the question is is about getting to balancing um detections so that you don't get to alert fatigue so yeah that's where we're here right you have too many benign events and the way we do that is we got to get down to something like this where we're not uh alert fatiguing our sock and the

way we do that is we go through our questions we're looking at different parent uh parent processes or child processes that we can tune out so like i said here we looked at uh the parent processes so we tuned these out so we didn't have alert fatigue now obviously something else could come along eventually especially like if there's like an install or something like this that might trip it but you know we're not going to have alert fatigue from this we'll we'll catch some suspicious activity but not alert fatigue so it's just about doing that tuning any other questions yep what's up

meaning that you need some way of detecting have you ever dealt with or and maybe how's your deal

all right so the question was around uh a lot of these detections are host based so one of the big things that you have to understand if we go back to it real quick is to actually catch a fair amount of the techniques

to actually catch a fair amount of the techniques we actually do need command execution and we need process creation um one of the first things that typically happens with modern day incident responses is they come in and they throw an eer on there because you need those hosts or that host data so from there to address your question is if you have someone who doesn't have an edr deployed yet most often they also don't decrypt ssl so you're also not going to be able to look inside that traffic either to do the network side so now you're pretty much flying blind so what do you do well what we did one time was we had a

case study where we got charged with improving detections without spending any more money and what we did was we deployed sysmon so that we actually got the logging capabilities that we needed and the alerting capabilities and then so from sysmon if you're not familiar great tool and then look at olaf's modular config it's a great one and then you also have the common swift on security config as well

potentially yes but it is a cheaper route and then oh by the way um another way of actually doing a good substitute florian ross company actually they nextron i believe they came out with uh a aura agent and it's it actually runs on the host the sigma rules so it's actually great because you actually don't have to collect all the system on and then configure your sim with the signal rules you can actually just deploy this and then send whatever alerts come back so it's actually it's a very powerful tool that i think a lot of people will start using as kind of a makeshift edr for those type of setups where it's like i need something on the

cheap okay go deploy this and at least you're gonna have those edr alerts even if you don't have that edr visibility but now you know which system to go get and start looking into or deploy system on to or whatnot great question anyone else i think we got time for about two more questions yeah what's up how do you feel about secondhand detection what i mean by that think of your mcas or any other product correlation kind of black box how do you handle companies that are like hey i want that one you don't have all right so the question is is when you have like a company who doesn't tell you why a detection fire but the customer

also wants that detection in a different environment um probably talking about mania if i had to guess google now i think it's google so yeah that's going to be a tough one right but what you can do typically is if if they wrote at least the alert well enough you can get an idea of what it's flagging on or what you can do is because a lot of them now are tagging to at least a technique level so you can probably go you know start doing some different procedures maybe start with like some atomic reds for that technique until that alert fires again and then now you know what that technique was and then you can map it to something that's

internal to you or like a sigma rule if that makes sense but yeah you can i mean if you if you ham jam it enough you'll figure out what what fires that sucker all right come on we got questions one more

all right so the question was how are we updating our ttps and thread actor information um so this is like a tough area right because a lot of reports don't contain procedure level intelligence and so what we actually have done is we went out we hired jake williams who's a former uh i don't know if i can i think he comes out he's publicly said he worked for three-letter agency um and he's a sans instructor he wrote like the top sans uh the hardest sans course which is like advanced exploit development so we went out and we hired him uh if you are on twitter malwarejake shout out to him he's been awesome so far and i'm sure he's gonna do even more

amazing stuff so we're going out and we're actually building out how to get more procedure level in-house but the other area that we're looking at is what you can do right now is go out and read reports so in the instance that i showed you where we actually had the microsoft report

so we have the microsoft report and we can see right here what what they're doing so it's one of those things where you have to go through a few reports opencti is actually pretty good source where you can get through multiple reports until you find procedures but it's going out reading the intelligence that's actually produced this is one of those things too most of the time what we're doing uh if you're doing detection engineering you should be a consummate consumer of cyber threat intelligence you should go out and read the intel reports so if mandy is coming out with a report of what a threat actor is doing if microsoft's coming out with a report

of what a threat actor is doing you should be reading it and understanding what the adversary is doing and then you can understand that at a procedure level of what they're doing let's do that in my environment can i detect it do i have response around it and you know that's what we're really trying to do purple teaming is like the first thing where i was like that makes sense to do like mlai sure that stuff's coming um eventually maybe but you know purple team that's the most it's the most actionable thing we can do right now to actually harden our environments and if we just did it a little bit more we wouldn't be getting

the ransomware that's across all these organizations with kanti playbook being ran over and over and over again i hope they talk about in the next talk but literally it's the same thing in all testsnet.exe all these things over and over again where if you actually had just a little bit of knowledge of how to consume the reports coming from like the d3 report how to actually just go out read it think about it emulate it in my environment and then test my detections and response against so with that i believe i have to wrap up but happy threat hunting happy detection engineering happy purple teaming get out there and kick some butt and let's get

these uh these adversaries off our networks [Applause]

oh by the way there are stickers on either side of the uh on the stage

i should have checked it out

Related talks

47:39
Mastering Android Security Research: A Guide for the Modern Security Researcher
BSides Tampa · 2024
47:03
Another Round On The Treadmill by @_JohnHammond
BSides Tampa · 2025
51:22
The No BS SOC Story
BSides Tampa · 2024
43:03
Social Engineerios: How AI Changes (and Doesn't Change) Social Engineering
BSides Tampa · 2026
41:58
The Fault in Our Metrics: Rethinking How We Measure Detection & Response by Allyn Stott
BSides Tampa
47:08
Gaining experience through CTFs by Angela Ramos
BSides Tampa