Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Blue Team Thomas Profile picture
@TheEis4Extra
Oct 18, 2022 12 tweets 3 min read Read on X
Here’s my quick an dirty lab workout for Detection Engineers. I do this work out 2 to 3 times a week for about 2 hours. #CyberSecurity #infosec #BlackTechTwitter
First you’ll need a lab. I don’t romanticize the struggles of building a lab. Sure, you learn a lot but you’re trying to start building detections. So I recommend using an automated set up like this one. github.com/clong/Detectio…
Next, you’ll need a way to simulate a text to your environment. My favorite for beginners is @redcanary’s atomic request team github.com/redcanaryco/at…
Now, we’re ready to get started. pick a technique that you want to write a detection for. Use @MITREattack for that. attack.mitre.org/matrices/enter…
Run the atomic on you target box. Analyze the logs in Splunk, velociraptor, and OSquery. Start thinking about things that you could build detections on.
Remember, if you’re too broad, then you’ll generate too many false positives. If you’re too precise, you may miss suspicious behavior. Try to find a balance. The goal is to produce high fidelity, reliable alerts.
Think about potential false positives. Maybe you can create an exception for those. Maybe you can add something to your rule that illuminates things for you
Now that you have some ideas, try writing rules in different formats. My favorite are Sigma, Yara, OSquery, SPL.
Deploy the rules and run the attack again. Did your alert fire? Try changing your attack script slightly. Run a different application or run the file from a different path or directory still work?
Don’t stress yourself out. If a rule isn’t working the way you think it should decompose the rule, and the attack to figure out why. As Detection Engineers, this is what you’ll do during every detection cycle. Things don’t always work the first time
Detection engineering is as much about eliminating brittle or inefficient rule sets as it is developing high fidelity, reliable ones.
Few of us get this right the first time. It’s an exercise of trial and error. And even after the rule is in production, it’s never finished. Good luck

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Blue Team Thomas

Blue Team Thomas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TheEis4Extra

Blue Team Thomas Profile picture
Mar 15, 2023
🚨🔍👨‍💻🛡️ I got few questions about what a Detection Engineers does. Daily tasks range from monitoring security systems to designing and developing detection logic? Here are some common tasks that I perform on given day #Cybersecurity #DetectionEngineer #SecurityOperations #SIEM
1️⃣ Building SIEM Architecture

Some detection engineers build SIEM architecture to collect, process, store, analyze, and respond to security-related data from various sources to identify potential security threats and alerts the security team.
2️⃣ Monitoring Security Systems

Detection engineers monitor security systems, review logs/alerts/reports, identify potential threats, and investigate suspicious activities. Essential in security ops.
Read 9 tweets
Blue Team Thomas Profile picture
Mar 10, 2023
📚🔒👀 Need a good book this weekend? Want to be a Detection Engineer? Want to level up your detection game? Look no further! Check out my personal reading recommendations on the history and evolution of detection. #cybersecurity #detectionengineering #books #readinglist 🤓📖
1️⃣ First up is "An Intrusion Detection Model" by Dorothy Denning, a pioneering 1987 paper that proposes a model for intrusion detection consisting of data collection, analysis, and management.
2️⃣ "Detection Engineering: Defending Networks with Purpose" by Peter Di Giorgio discusses the importance of custom detection logic in network security.
Read 9 tweets
Blue Team Thomas Profile picture
Mar 9, 2023
Are you interested in becoming a Detection Engineer? 🕵️‍♂️🔎

Detection Engineers play a crucial role in identifying and preventing security breaches in organizations. But what skills do you need to become one? Here's a road map to guide you. #DetectionEngineer #CyberSecurity
Technical Skills: A strong foundation in network security technologies, protocols, programming languages, and tools like IDPS, firewalls, and SIEM systems is essential.
Cybersecurity Knowledge: Understanding common attack methods, threat actors, and security best practices is crucial for detecting and preventing security breaches.
Read 10 tweets
Blue Team Thomas Profile picture
Oct 23, 2022
My quick and dirty list of not-so-obvious complementary skills for Detection Engineers. These are the things I study on my "low-tech" days. Most of these are mindset/procces centric and require minimal technology. #infosec #CyberSecurity #DetectionEngineers #BlackTechTwitter
First up, Statistical Analysis. Statistical analysis is the process of collecting and analyzing data in order to discern patterns and trends. This is useful when establishing baselines and identifying anomalies. simplilearn.com/what-is-statis…
Second, Reasoning. Understanding the different types of reasoning and when you should apply them will allow you to efficiently analyze massive amounts of data. indeed.com/career-advice/…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(