Technical Tests
Theme Technical Testing
This page contains tests of technical aspects of the theme I am using and Jekyll in general.
Michael McDonnell
Michael McDonnell/ The Cybersecurity Librarian
404.html_pages/detection-engineering-notes.mdindex.html_pages/learning-podcasts.md_pages/learning-writing.md_pages/learning.md_pages/moro-and-mike.md_pages/moro-mike-podcast.xml_pages/test.mdassets/css/style.scssassets/minima-social-icons.liquidfeed.xmlblog/page2/index.htmlblog/page3/index.htmlblog/page4/index.htmlblog/page5/index.htmlblog/page6/index.htmlsitemap.xmlrobots.txt _pages/detection-engineering-notes.md_pages/learning.md_pages/moro-and-mike.md
404
Page not found :(
The requested page could not be found.
Last Update: 2023-03-19
I want to better understand the industry landscape and emerging practices in Detection Engineering. These are my notes on DE perspectives, frameworks, processes, tools, and people to learn from.
What is Detection Engineering?
Detection engineering is the process of identifying threats before they can do significant damage. Detection engineering is about creating a culture, as well as a process of developing, evolving, and tuning detections to defend against current threats. – CrowdStrike
Detection engineering transforms information about threats into detections…. Detection engineering transforms an idea of how to detect a specific condition or activity into a concrete description of how to detect it. – Florian Roth
Detection engineering is by no means limited to the detection of events (activity). It also includes detecting conditions (states), often used in digital forensics or incident response. – Florian Roth
A Threat Detection Engineer is someone who applies domain knowledge on designing, building or maintaining detection content in the form of detections generating alerts; or interfaces in the form of dashboards or reports supporting the security monitoring practice within an organization. – Alex Teixeira
Detection engineering is a process—applying systems thinking and engineering to more accurately detect threats. The goal is to create an automated system of threat detection which is customizable, flexible, repeatable, and produces high quality alerts for security teams to act upon. – Laura Kenner, uptycs
Detection engineering functions within security operations and deals with the design, development, testing, and maintenance of threat detection logic. – Mark Stone, panther
Detection engineers design and build security systems that constantly evolve to defend against current threats. – Josh Day, gigamon
Threat hunting and detection engineering are different specializations, but are closely related. They have common goal of finding attackers using available data, whether its the attackers that got past your detections (threat hunting) or the next ones through (detections). – Mark Simos
Perspectives
- Florian Roth : About Detection Engineering
- CrowdStrike : What is Detection Engineering?
- GitHub : Awesome Detection Engineering
- Uptycs : What Is Detection Engineering?
- Panther : A Technical Primer in Detection Engineering
- Gigamon : So, You Want to Be a Detection Engineer?
- Red Canary : Behind the Scenes with Red Canary’s Detection Engineering Team
- Alex Teixeira : What does it mean to be a threat detection engineer?
- Mark Simos : Typical SecOps Role Evolution
Can I get certified as a Detection Engineer?
Maybe. I never thought about that before.
- ATT&CK Threat Hunting Detection Engineering Certification Path – Training is part of MITRE MAD which is USD$500/year.
- GIAC Certified Detection Analyst (GCDA)
How can I learn more about Detection Engineering?
Reading
Articles
- The dotted lines between Threat Hunting and Detection Engineering
- Prioritization of the Detection Engineering Backlog
- Detection Engineering with MITRE Top Techniques & Atomic Red Team
- How to Improve Security Monitoring with Detection Engineering Program
- The Evolution of Security Operations and Strategies for Building an Effective SOC (ISACA, Lakshmi Narayanan Kaliyaperumal)
Blogs
- Blog Posts Tagged “Detection Engineering” on Medium
- Florian Roth
- Alex Teixeira: When Data speaks, are you ready to listen?
- MITRE ATT&CK Blog
- Anton Chuvakin
Books
- 11 Strategies of a World-Class Cybersecurity Operations Center
- Malware Analysis and Detection Engineering
- Agile Security Operations
Listening (Podcasts)
Watching (Videos)
- Detection Engineering Methodologies
- Threat Hunting SANS: What is Detection Engineering? Avigayil Mechtinger
- Resilient Detection Engineering
- Detection as Code: Detection Development Using CI/CD
- Threat-Informed Detection Engineering
- Leveling Up Your Detection Engineering
- Measuring Detection Engineering Teams
- Security Onion Essentials - Detection Engineering
Courses
Events (Conferences)
What are the core Detection Engineering Processes?
TODO. See articles above for now.
What tasks should a Detection Engineering Program document?
Appendix C.3 of the MITRE book 11 Strategies of a World-Class Cybersecurity Operations Center outlines a framework for Detection Engineering/SOC Systems Administrator documentation. In a past job, I worked together with a SOC Syadmin, collaborated on documentation that was similar. I was delighted when I read this appendix and found it was a strong match for what we did. It drove new effeciencies, supported better understanding by incident handlers, and ensured our systems were well maintained and worked.
This key document types for SOC Engineering are:
- Monitoring Architecture
- Internal Change Management Processes
- Systems and Sensors Maintenance and Build Instructions
- Operational, Functional, and Systems Requirements
- Budget and current spending (capital and operational expenditures)
- Unfunded Requirements
- Sensor and SIEM Detections/Analytics/Content Lists(s)
- SOC System Inventory
- Network Diagrams
I like to focus more on the documentation of use-case development. In the MITRE book that would be “Sensor and SIEM Detections/Analytics/Content List(s)” as well as “Internal Change Management Processes” primarily. Below is my own framework for the medium-grained tasks a Detectin Engineer would carry out. You can think of each item below as being an artifact or task documented in Jira or Confluence etc.
- Document use-case – Taking as input some need, define the use-case so that it maybe reviewed and prioritized and added to the backlog
- Develop use-case – Input is a documented need for the use-case. Perform in-depth requirements analysis, data wrangling, iterative development of detection and data sources, and full documentation. Output is a test detection in non-production ready to be reviewed for acceptance by stakeholders, and for final implementation.
- Implement use-case – Input is an developed use-case that has passed acceptance. Implement it in production and remove it from the backlog.
- Monitor use-cases – Input is all production use-cases. Monitor use-cases and periodically review them for relevancy and effectivness. Output is requests to retire, enhance, or maintain the use-cases
- Retire use-case – Input is a request from monitoring of all use-cases. Ensure the use-case is disabled tracking anything that has dependencies on the use-case. If necassary create a new use-case to replace this one if others depend on it but it needs to be retired. Output is confirmation that retirement has not caused adverse impact.
- Plan threat-hunt – Input is demand for a new use-case. Generate a hypothesis and test plan. Describe data sources needed, effort and resources required and a schedule. Output is a plan and schedule ready for approval.
- Execute threat-hunt – Input is a threat hunt plan that has been approved. Gather the required team, and on schedule execute the hunt. Output is documented findings, and possibly escalation to incident response.
- Develop metric – Input is a deman from a stakeholder or a documented use-case ready for development. Develop a way to measure the effectiveness of a use-case, or some aspect of the DE program. Output is the logic/process for a scheduled report dashboard or some data.
- Implement metric – Input is a developed metric. Implement it and remove it from the backlog.
- Report metrics – Input is all developed, implemented metrics. Operationize reporting. Output is feedback into the use-case development process or advise to stakeholders outside DE.
- Document datasource
- Implement datasource
- Monitor datasource
What are popular Detection Engineering Standards and Frameworks?
Frameworks
- Open Detection Engineering Framework
- MITRE ATT&ACK
- The Cyber Kill Chain – There are many variants of the killchain model. Lockheed Martin’s is often cited.
- The Pyramid of Pain
- Detection Engineering Maturity Matrix – See also Kyle Bailey’s post Detection Engineering Maturity Matrix
- The DML Model
- Purple Team Exercise Framework (PTEF) – This is compatible with and includes a role for Detection Engineering
- MaGMa: a framework and tool for use case management – The MaGMa Use Case Framework (UCF) is a framework and tool for use case management and administration on security monitoring. MaGMa’s tool is decprecated and not maintained but the methodology remains sound well aligned with current practices. It is documented where other practices are often shared word-of-mouth. The primary author works at Splunk which now offers the Entprise Security Content library, with MaGMa like features.
- TaHiTI: Threat Hunting Methodology – Aligned with MaGMa, the TaHiTI methodology for threat hunting is created with real hunting practice in mind and provides organization with a standardized and repeatable approach to their hunting investigations. The methodology uses 3 phases and 6 steps and integrates threat intelligence throughout its execution.
Naming Conventions
- From LASCON talk by – Primary Key:SCOPE:TTP:Short name – Scope is servers, workstations, or something more granular –
Detection Specification Languages/Formats
- Sigma
- YARA
- Splunk SPL
- Microsoft KQL
- Snort Rules
- GraphQL
- YAML
Managing a Backlog of Work
- JIRA
Processes
- Agile Use Case Detection Methodologies
- DevOps CI/CD
Standards
- Sigma
What tools are popular for Detection Engineering?
EDR
- Wazuh
- CrowdStrike
- Microsoft Defender for Endpoint
SIEM
- Microsoft Sentinel
- Splunk Enterprise Security
SOAR
- Splunk SOAR
- LogicHub
- Palo Alta Cortex
- CrowdStrike Fusion
Analytics
- MITRE Cyber Analytics Repository (CAR)
- Python (Pandas)
- Jupyter Notebooks
- Splunk Enterprise Security CIM Datamodels
- Microsoft Excel
Data Sources (Event Logs)
- MITRE ATT&CK datasource mapping
- Sysmon
- Linux auditd
- Filebeat
- Windows Events
- syslog
- Firewall Logs
- Zeek (network events)
- DNS logs
- Anti-virus Alerts
- Active Directory changes
- AWS CloudTrail
Malware Analysis
- VirusTotal
- Any.run
- Hybrid Analysis
- Cisco Malware Analytics
- IDA Pro
Who are the leaders in Detection Engineering?
What is the relationship between Detection Engineering and Incident Response?
What is the relationship between Detection Engineering and Threat Hunting?
Threat Hunting and Detection Engineering go hand-in-hand. Threat Hunting methods are used by Detection Engineers to validate their detection logic, data sources, and measure effectiveness. That said, Threat Hunting has additional outcomes unrelated to Detection Engineering goals, and may trigger incident response.
Most Detection Engineering use-cases begin with a Threat Hunt to validate and priorize the use-case. If the threat hunt proves difficult, it helps estimate the effort of developing the use-case for detecting that threat. If the threat hunt yeilds few false positives, it indicates that the use-case could be highly effective and should get higher priority. If the threat hunt fails due to lack of data, it may indicate that developmen to the use-case should be deferred until the datasource can be developed.
What is the relationship between Detection Engineering and Threat Intelligence?
The need for new detections is often driven by threat intelligence. We want to detect threats before they become incidents and the earliest needs may come from threat intelligence analysis. For example, if Qakbot has changed their methods but your organization has not yet encountered them, threat intelligence may be able to provide information on how to detect the new methods days before you are attacked.
A good detection engineer reads threat reports differently than a malware or TI analyst. He/she discovers detection opportunities, pivots and writes rules for any trace the reported threat may have left. – Florian Roth
What is the relationship between Detection Engineering and Offensive Security?
What is the relationship between Detection Engineering and IT Asset Inventory?
Detection Engineering both consumes and produces asset inventories. Detection Engineering crucially requires quality inventory of assets, identifies, and configurations.
If you want to measure the converage of your detections for an specific threat, you will need to have an inventory of assets targeted by, exposed to, or vulnerable to the threat. If you don’t have a good inventory, you will not know how effective your detection will be. For example, if you have a detection for exploitation of a vulnerability in MS SQL Server, but you don’t know how many SQL Servers you have, or their addresses, you cannot determine if your detection will actually work.
Detection Engineers often have specific inventory requirements that others do not. For example, knowing which security agents are present, knowing how assets are configured, knowing what permissions an identity has. These all can be used to enrich detections to priotize alerts by priority of the asset or severity of the detected threat. Without this additional information, you can detect a threat, but not detemine how urgent a response to that threat is.
What is the relationship between Detection Engineering and Malware Analysis?
This is a list of high-quality audio-only podcasts
Top 3
The Cybersecurity Librarian recommends these 3 podcasts. They have these attributes:
- Original Content
- Quality Analysis
- Minimal or Stated Bias
- The Cyberwire
- I believe this is the gold standard for general daily cybersecurity news. The content is timely. The producers actively minimize, disclose, or state bias. The information is accurate and authoritative. The sources they choose are well selected and authoritative. I have seen them state when a source was not primary. The analysis is insightful. The style of the primary host (Dave Bittner) is charming, wry, and still effecient and professional. The guests are well choosen and diverse. While the revenue model they have (advertising/sponsorship) does bias their selection of guests, the interviews themselves appear to be far less bias than other similar shows.
- The Cyberwire has a number of spin-off podcasts on the topics of Social Engineer, Cybersecurity Law, Security and Vulnerability Research, and Security Management. Each strikes its own balance of entertainment, education, and original content. Each relies on unique and authoritative guests.
- Malicious Life
- An extraordinary documentary-style podcast. The host Ran Levi is an engaging presenter and selects worthy topics from the history of cybercrime. What makes this podcast worth listening too is how the producers take complicate timelines of events, balance the detail required, and tell the story of major historical cybersecurity events. There is occaisional bias, but the hosts are good at stating it (mostly). The accuracy and historical detail of the content are impressive. They manage to balance the level of historical and technical detail and tell an entertaining and educational story.
- Darknet Diaries
- Darknet Diaries presents stories of recent cybercrimes and interviews with cybercriminals, hackers, and penetration testers. Despite the title, the stories are not about the Darknet per se, but about criminal hacking and world of those that compromise security. The topics are diverse, the storytelling is compelling, and interviewed guests are unique. This will give you more than just an entertaining look at cybercrime, it allows us a window into the minds of the people behind many well known security incidents. This is not fact-checked journalism: these are excellent stories. You will hear first hand accounts from criminals and here them state their motivations, tell their life stories, and explain their actions.
News / Threat Intelligence
- Discarded
- Proofpoint has an amazing Cyber Threat Intelligence team. They are especially well known for tracking email-based threats. This podcasts gives you a behind-the-scenes look into the work of Proofpoint’s intelligence analysts. Typical episodes introduce you to a few analysts, their backgrounds, and the focus of their intelligence work. Then there is a discussion that follows about notable threat actors or analysis methods. If your work involves reporting on any of the “TA” actors (TA505, TA577, TA570), then this podcast is for you. While this is sponsored by a security vendor it is not marketing oriented, and seems to be driven by the analysts themselves giving it an authentic feel: quality content instead of shiny production values.
- Click Here
- Recorded Future’s newest podcast takes a journalistic style that is different than many other security podcasts. The topics are typically similar to what you might see in the news, but coving the “cyber” side: cyber-espionage, cyber-crime, or cyber-intelligence. The host, Dina Temple-Raston, was formerly part of NPR’s Investigation team and the podcast takes on a serious and more intriguing tone: The format is documentary journalism not round-table discussion.
- Recorded Future Podcast
- Recorded Future is a company that offers Threat Intelligence services. Their podcast is hosted by Cyberwire host Dave Bittner, and presents interviews with professionals involved in Cyber Threat Intelligence work. Unlike many other vendor podcasts, this one does not focus exclusively on interviewing their own staff and includes many people throughout the industry. It is not a sales-focused marketing initiative and the treatment of topics and selection of guests does not appear to be overly biased.
Privacy, Law, and Policy
- Caveat
- Caveat is hosted by Cyberwire’s Dave Bittner and Lawyer Ben Yelin. You do not have to be a lawyer to enjoy or learn from this podcast. It discusses recent cybersecurity news and events that are impacted by law.
- Privacy Insider
- Hosted by Justin Antonipllai, the former Under Secretary for Economic Affairs at the US Department of Commerce, this podcast takes a serious look at law, policy, and social issues related to privacy. The Cybersecurity Librarian has yet to render a verdict on bias. It is sponsored, but the content seemed more “privacy geek” than marketing.
Management and Leadership
- Dev.Sec.Lead
- While this podcast is no longer produced, it is still available on most platforms. Hosted by Threat Intelligence author Wilson Bautisa Jr., this podcast focuses on leadership development. It is of interest not just to CISOs and managers, but also for the every-day professional. The interview and topics vary greatly and the depth the topics are treated is refreshing. These guests are positive role models focused on improving our profession. This
Writing is a vital skill in cybersecurity. Even those in highly technical roles will be required to write clear concise technical documentation, procedures, and playbooks. Those involved in the assessment of risk, threats, and vulnerabilities will benefit from strong report writing skills. Managers and Consultants have the greatest need to develop effective communication and persuasive writing abilities.
The resources listed on this page will help you develop your writing skills, no matter what your role and need. Please share with us anything that you found helpful. The most useful, clear, and authoritative resources will be added to this list.
Top 3
- Ten Steps to Help you Write Better Essays & Term Papers
- This book by Neil Sawer is concise and practical. It doesn’t make you learn theory, it tells you what actions to take, right now, to start writing. Then it tells you want you can do to edit your writing and improve it. While this book is focused on students, the advice applies generally to anyone suffering from writers block, or who finds themselves challenged to write more clearly or briefly.
- How to write Proposals, Sales Letters & Reports
- Also from Neil Sawer, this book uses some of the same writing advice from “Write Better Essays” and applies it to the business world. There is more emphasis on persuasive writing and on communicating with visuals, charts, etc.
Writing for Penetration Testers and Vulnerability Assessment
If you have additional or better examples, templates, or writing guides for pentration testers, please let us know!
Penetration Testers rarely start as excellent writers. Your observations and discoveries need to be communicated and understood if they are to be valued. If you have felt frustrated trying to find good resources on writing pentest reports, you are not alone. Standards for writing pentest reports are emerging and so is advince on good writing. If writing is new to you, remember it just takes practice, just like pentesting does.
Start with learning how to write a narrative report: the most common and easiest type of pentest report.
- Penetration Test Report
- Offensive Security has provided this template for use by their OSCP penetration testing students for years. It is intended to capture what activities you carried our in your pentest and the order you did them. While it does include recommendations the main focus is on capturing evidence.
Your clients will probably want more than a narrative report. Most want documented observations, risk assessment, and actionable recommendations. When you get good at writing your narrative reports, and consistently include verifiable proof of testing as well as verifiable findings, it will be time to practice writing more complete reports.
- Writing Penetration Testing Reports
- This is a paper from the SANS Institute’s Reading Room, submitted by a GIAC candidates paper for “GOLD” certification. It presents a fuller view of what a penetration testing report should look like. You will notice that it does not bear much resemblance to the Offensive Security “narrative” template. A narrative report would be an appendix to this type of report. This is what a client is looking for from a vulnerability report: background, risk assessment, and actionable recommendations.
Project Propoals and Statements of Work
If you work as a consultant you will need to write Statements of Work (SOWs) frequently. These are brief summaries that contain a Work Breakdown Structure (WBS) and estimated effort. They do not fully describe a Scope of Work, but are enough to authorize work when a client has trust and clear understanding.
Consultants and employees with initiative will have to write Project Proposals or Plans. These are larger detailed documents that explain the background and need for a project, the detailed scope, a Work Breakdown Structure, estimated effort, requirements for the project, roles of the parties involved, estimates of cost, and more.
- How to write Proposals, Sales Letters & Reports
- This book uses some of the same writing advice from “Write Better Essays” and applies it to the business world. There is more emphasis on persuasive writing and on communicating with visuals, charts, etc.
The Cybersecurity Librarian maintains a list of use references for helping you to learn more about cybersecurity, to keep up to date, and to develop your skills and knowledge. There are seperate pages for major categories of reference material.
Resource Categories
Do you have a great book, video, blog, article, magazine, journal, podcast, or course that helped you? Let us know. The most compelling, useful, concise, and clear resources will be added to the lists!
“Moro and Mike” was a weekly livestream discussing the cybersecurity profession practice. Our topics included leadership, management, job hunting, career development, emotional intelligence, threat intelligence, situational awareness and more. We go beyond the technology to discuss the professional practice of cybersecurity and IT.
Podcasts
The RSS feed for the Moro and Mike Podcast is https://cyberlibrarian.ca//moro-and-mike/podcast.rss
The Podcast is the audio-only portion of the Moro and Mike YouTube Livestream
Moro and Mike is recorded live on YouTube, but past episodes are available in podcast (audio-only) format on:
- iTunes
- Spotify,
- and Google Podcasts
Just search for “Moro and Mike”.
Past Livestreams
<?xml version=”1.0” encoding=”UTF-8”?>
Theme Technical Testing
This page contains tests of technical aspects of the theme I am using and Jekyll in general.
{{ site.author.name }}
{{ site.author.name | escape }} |
{%- assign default_paths = site.pages | map: “path” -%} | ||
{%- assign page_paths = site.header_pages | default: default_paths -%} | ||
{%- assign titles_size = site.pages | map: ‘title’ | join: ‘’ | size -%} |
{{ “/” | relative_url }} |
{{ site.title | escape }} |
{{ default_paths }} {{ page_paths }} {{ site.pages }} {{ site.pages | map: ‘title’ | join: ‘’ }} {{ titles_size }} @import “minima/skins/{{ site.minima.skin | default: ‘classic’ }}”, “minima/initialize”;
<?xml version=”1.0” encoding=”utf-8”?>{% if page.xsl %}<?xml-stylesheet type=”text/xml” href=”{{ ‘/feed.xslt.xml’ | absolute_url }}”?>{% endif %}<feed xmlns=”http://www.w3.org/2005/Atom” {% if site.lang %}xml:lang=”{{ site.lang }}”{% endif %}>
{% if doc.last_modified_at or doc.date %}
{% if page.last_modified_at %}
</url> {% endfor %}</urlset> Sitemap: {{ “sitemap.xml” | absolute_url }}
Detection Engineering NotesRecommended PodcastsWriting SkillsLearning ResourcesMoro and MikeMoro and Mike PodcastTechnical Tests 128