Everyone has diff vernacular for their models and ideas, but I define detection on a spectrum, where logic for the purpose of finding evil is measured by output fidelity, result set size, time/expertise requirements for review, and most importantly, “threat density.” #detectrum
The #detectrum is just a mental model for me, a way to explain the different intents and purposes for all sorts of logic and technologies and haystacks that help us find and attribute intrusion activity.
It’s not novel or special, but the detectrum can be helpful when you are examining the complex systems (people, processes, myriads of technologies) within a large intelligence apparatus.
Detection includes attribution. Attribution is a peak form of detection. Why do I think this? Before you laugh and mute me and move on, let me try to explain.
In the concept of detectrum, any given activity can be explained on a scale of specificity. Logic at its absolute widest will create massive haystacks of data relating to particular tech or TTPs. Let’s say you have logic or systems that extract host commands to help find badness.
You may have several pieces of logic for extracting host commands, but the widest one gets everything. This haystack is not threat dense and is not very specific in its designation of what is and is not in this giant haystack. This rule is on the far right of the detectrum.
Moving left, a bit more specific, a better piece of logic looks for all host commands with arguments for PuTTY Link (PLINK) tunneling. It’s a methodology, and not always malicious. But it is a much smaller haystack and significantly threat dense.
Now even more specific, say you have another host cmd rule that looks for PLINK tunneling with a structure that is common to APT34.CATE operators. They have a particular style of how they do the flags and maybe a regex of their favorite keyboard runs for passwords.
At its most specific, a rule logic for all of the above but also has an exact password match for a tracked operator and a fqdn for a known attributed APT34 C2 server. This is a very specific, precise piece of logic that now offers *attribution* to a host event.
In my head, the detectrum shows how events or data can build up. Simple telemetry, to haystacks by TTP, to generic malicious, to specific malicious. With data from layers of logic, in grades of specificity, you can move from across the spectrum from what, onto _who_
Imagine yourself a buyer of detection. Or any analyst receiving an alert or interpreting data. Which of these events would you prefer?

1) Generic.Mal
2) APT.SIXPLUS
3) SIXPLUS (unc2157)
4) SIXPLUS (APT29, operator Pavel)

Each of these can be delivered by different rule logic.
These are my coffee thoughts. Back to work!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Steve Miller

Steve Miller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @stvemillertime

28 Jan
#ConventionEngine: Part Cinq - OLE Edition

ConventionEngine is *mostly* about PDBs, directory paths that reflect something about the original code project and development environment. The paths are the signal. Where else will they show up? Why, in OLE objects! Let's explore...
We had a revelation that seeing an RTF with an OLE is not that crazy, but when that inside OLE has, for whatever reason, a full directory path, the whole object becomes so much more interesting. For example, RTF with OLE with C:\Users\ in it. Let's use Yara to take a measurement.
Here's a quick #dailyyara rule looking for RTFs with OLE objects with a path of C:\Users\ in it...somewhere...for some reason. This is odd, and unsurprisingly super threat dense.

gist.github.com/stvemillertime… Image
Read 6 tweets
21 Jan
How do @Mandiant UNC clusters get formed, merged, and graduate to APT groups or even personas? Look at serial crimes and sprees in meatspace. Multiple crimes on multiple victim systems, multiple places. It takes forensic evidence to tie the cases together. It's the same process.
Foot impression from the crime scene. Is it unique? What shoe is it, where was it sold? How many made in that size? You have to know if the evidence is unique. All the casings, latents, entry toolmarks. Technical evidence is how we group crimes together and move towards an actor.
TTPs and MOs and methodologies and victimologies are important too, but these don't help you get attribution alone. Technical links, grounded in substantiated evidence is the only way.
Read 16 tweets
14 Oct 20
Students of #infosec: @Mandiant and @FireEye folks have put out tons of blogs over the years. Careful reading of these can help you build familiarity with threat actors, intrusion TTPs, and threat data. And sometimes they're just fun. Here's a thread with some of my favorites:
Read 10 tweets
20 Mar 20
ExportEngine: Find Evil by PE Export DLL Names

(a #dailyyara thread)

PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"

This string is "analytically rich" and is surfaced in many tools
Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe"
The export DLL name strings contains enough predictable developer conventions that you can use simple Yara rules to surface, cluster, detect/hunt for malicious activity that might otherwise be missed (similar to my prior research on ConventionEngine and PDB paths). Let's look...
Read 16 tweets
22 Feb 20
You may not think attribution matters, but I think attribution is also on the detection spectrum, or #DETECTRUM. I'm trying to think about it as layers of additive traps that enable us to hedge our bets for visibility, resilience in detection, sometimes to figure out who dun it.
I think the #DETECTRUM can be used to model both inputs and outputs of the detection engineering process - whether you're plotting "logic designed to find evil," alerts, the tech, or the or the data itself. The graphs might look a bit different, but same ideology might be useful
See also this thread and this thread:



and there's plenty of commentary on the #detectrum as well

Read 4 tweets
26 Feb 19
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!