LotL Classifier tests for shells, exfil, and miners

toolsmith #146: A supervised learning approach to Living off the Land attack classification from Adobe SI

Happy Holidays, readers!
First, a relevant quote from a preeminent author in the realm of intelligence analysis, Richards J. Heuer, Jr.:
“When inferring the causes of behavior, too much weight is accorded to personal qualities and dispositions of the actor and not enough to situational determinants of the actor’s behavior.”
Please consider Mr. Heuer’s Psychology of Intelligence Analysis required reading.
The security intelligence team from Adobe’s Security Coordination Center (SCC) have sought to apply deeper analysis of situational determinants per adversary behaviors as they pertain to living-off-the-land (LotL) techniques. As the authors indicate, “bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years…LotL is still one of the preferred approaches even for highly skilled attackers.” While we, as security analysts, are party to adversary and actor group qualities and dispositions, the use of LotL techniques (situational determinants) proffer challenges for us. Given that classic LotL detection is rife with false positives, Adobe’s SI team used open source and representative incident data to develop a dynamic and high-confidence LotL Classifier, and open-sourced it. Please treat their Medium post, Living off the Land (LotL) Classifier Open-Source Project and related GitHub repo as mandatory reading before proceeding here. I’ll not repeat what they’ve quite capably already documented.

[Read More]

Zircolite vs Defense Evasion & Nobellium FoggyWeb

toolsmith #145: a standalone SIGMA-based detection tool for EVTX and JSON

I’m pleased to be back sharing outstanding tools for security practitioners with you after an extended time out to finish my Ph.D.
Here now, in our 145th installment of toolsmith, we discuss Zircolite, a standalone and fast SIGMA-based detection tool for EVTX or JSON, a fine tool brought to us courtesy of @waggabat. Zircolite’s GitHub repo tells you absolutely everything you need to know, and the documentation is more than adequate, so I’ll repeat only this:

  • Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs
  • Zircolite can be used directly on the investigated endpoint or in your favorite forensic/detection lab
  • Zircolite is fast and can parse large datasets in just seconds
  • Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format
  • Zircolite can be used directly in Python or you can use the binaries provided in releases
[Read More]

Abstract: Improved Security Detection & Response Via Optimized Alert Output - A Usability Study

Cut the noise, hone the signal

Once in a while, you get shown the light in the strangest of places if you look at it right ~Garcia/Hunter

I’ve been absent here for many months, but it has been with purpose. My dissertation, Improved Security Detection & Response via Optimized Alert Output: A Usability Study, is complete, and I’ve successfully defended it; pursuit of my PhD is complete, a new journey begins. I’ll begin with posting the abstract here. I’m in the midst of the dissertation publishing process, but once ready, it will be available in a fully open source capacity, no paywalls or subscription required. I’ll also share all the data (fully anonymized) as well as statistical routines and analysis in R. I’ll continue to post the related artifacts, including to full dissertation in via the R bookdown and thesisdown packages. I look forward to sharing this research with you while discussing it in a variety of forums and extending it to additional research opportunities. Stay tuned here for more.

[Read More]

Detection Development: The Research Cycle & NIST CSF

How to better answer questions in data with research methods

Leedy and Ormrod’s Practical Research: Planning and Design serves as an ideal framework for the practice of blue team detection development, thus helping meet the guidelines prescribed in NIST’s Cybersecurity Framework, particularly as part of detection and response.

[Read More]