Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Blue Team Thomas Profile picture
Blue Team Thomas
@TheEis4Extra
Detection Engineer | Cybersecurity Researcher | Multifaceted Nerd | Excessively Black | HipHop & R&B | Gamer | Runner | Occasional Podcaster

Oct 18, 2022, 12 tweets

Here’s my quick an dirty lab workout for Detection Engineers. I do this work out 2 to 3 times a week for about 2 hours. #CyberSecurity #infosec #BlackTechTwitter

First you’ll need a lab. I don’t romanticize the struggles of building a lab. Sure, you learn a lot but you’re trying to start building detections. So I recommend using an automated set up like this one. github.com/clong/Detectio…

Next, you’ll need a way to simulate a text to your environment. My favorite for beginners is @redcanary’s atomic request team github.com/redcanaryco/at…

Now, we’re ready to get started. pick a technique that you want to write a detection for. Use @MITREattack for that. attack.mitre.org/matrices/enter…

Run the atomic on you target box. Analyze the logs in Splunk, velociraptor, and OSquery. Start thinking about things that you could build detections on.

Remember, if you’re too broad, then you’ll generate too many false positives. If you’re too precise, you may miss suspicious behavior. Try to find a balance. The goal is to produce high fidelity, reliable alerts.

Think about potential false positives. Maybe you can create an exception for those. Maybe you can add something to your rule that illuminates things for you

Now that you have some ideas, try writing rules in different formats. My favorite are Sigma, Yara, OSquery, SPL.

Deploy the rules and run the attack again. Did your alert fire? Try changing your attack script slightly. Run a different application or run the file from a different path or directory still work?

Don’t stress yourself out. If a rule isn’t working the way you think it should decompose the rule, and the attack to figure out why. As Detection Engineers, this is what you’ll do during every detection cycle. Things don’t always work the first time

Detection engineering is as much about eliminating brittle or inefficient rule sets as it is developing high fidelity, reliable ones.

Few of us get this right the first time. It’s an exercise of trial and error. And even after the rule is in production, it’s never finished. Good luck

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling