The Detection & Response Chronicles: Covert Operations Through QEMU

Adversaries have always relied on legitimate tools to carry out their attacks. These tools are already trusted by security solutions, which allows them to blend in with normal activity, maintain a low footprint, and make detection much harder for defenders. By using these legitimate tools, adversaries can carry out a wide range of actions, such as moving laterally across networks, establishing C2 channels, or maintaining persistence, all without triggering any alerts.

Capture the Kerberos Flag: Detecting Kerberos Anomalies

Kerberos is one of the most common protocols in organizations that utilize Windows Active Directory, and an essential part of Windows authentication used to verify the identity of a user or a host [1]. As such, Kerberos is often a target for adversaries trying to either steal or forge Kerberos tickets [2]. In this blog … Continue reading Capture the Kerberos Flag: Detecting Kerberos Anomalies →

Detection Engineering: Practicing Detection-as-Code – Tuning – Part 8

In Part 7, we showcased how we can leverage automation to continuously monitor the performance and trigger rate of our deployed detections. In this part, we are going to investigate how we can introduce automation and utilize continuous deployment pipelines to streamline the tedious task of tuning our detections.

Detection Engineering: Practicing Detection-as-Code – Monitoring – Part 7

In this part, we are going to introduce automation to effectively monitor our deployed detections. By setting up automations at this phase we adopt a proactive approach towards maintenance, allowing our team to take action before a blowout of alerts or an untuned detection is escalated by the SOC.

Detection Engineering: Practicing Detection-as-Code – Deployment – Part 6

The deployment phase is one of the most challenging steps in the Detection Development Life Cycle due to its implementation complexity. In this part, we will explore the principles and practices of deploying rules to target platforms. Additionally, we will go through some of the challenges encountered when designing and implementing a deployment pipeline, along with suggestions on how to overcome them, to ensure that our Continuous Deployment pipeline operates smoothly.

Detection Engineering: Practicing Detection-as-Code – Versioning – Part 5

Versioning in the detection library is crucial for maintaining traceability and tracking changes to individual detections and content packs. It enables us to pinpoint the exact state of specific detections at a given point in time, provides a clear history of updates, and facilitates troubleshooting and debugging by identifying which version introduced particular changes.