Nate Guagenti

@therealwlambert @anton_chuvakin 💯 enhance, enable, help, uplift, expedite, alleviate, move forward, etc.. any other words that are absolutes are a red flag.. only a snake oil vendor deals in absolutes

@Antonlovesdnb @HuntressLabs @Purp1eW0lf @CyberRaiju @4ndr3w6S @MaxRogers5 that’s awesome! you deserve it man, congrats

Excited to be starting a new position as a Principal Threat Hunting and Response Analyst at @HuntressLabs 🎆 Pinching myself as I get to work with folks like @Purp1eW0lf @CyberRaiju @4ndr3w6S @MaxRogers5 and more!

@ateixei @TheRealShiroe I ❤️ single threaded applications. especially when a task max’s out a whole core.. all the other task threads on that core sit and queue for a very very long time (aka till that task is done).. and dream that any of those tasks aren’t important 🥳

@TheRealShiroe This is how most SIEM users still develop a 'detection' today: a rule throws out 1 (atomic) alert, usually linked to a single indicator. Now, imagine implementing over three-hundred of those. It's unmanageable, if not, impossible given that each query will keep one cpu core busy.

It's fun implementing those indicators in SPL. Can you imagine if every single indicator would be a single query in #splunk? No way given 1 cpu/query! #endpointanalytics #hyperqueries

@HackingLZ has to be submission and they approve and write it. alert fatigue is really not the big issue, poor rules can mean poor performance. performance costs money not to mention worst case downtime. there isn’t a databse/siem that will truly prevent a poorly written rule or correlation

If you have a managed/monitored SIEM by some MSSP should they accept and monitor detections you add? should they only have a process where you submit detention criteria and they write it?

Quick blog post on a new ETW event to monitor "valid" KASLR bypasses through system calls: windows-internals.com/an-end-to-kasl…

Check out the #opensource #Kafka #sigma interpreter @mpeacock1964 and I built: github.com/confluentinc/c… Load sigma rules in a topic and the kstreams app will appply them against your streams of observability data in real time! #cybersecurity #cyber inspired by @neu5ron @socprime

@subTee lucky if anybody implements it right. and most java applications (half+ of siems/logging solutions built upon) have no ability for CRL. so just grab any cert from a compromised host and do your bidding. granted this isn’t evasion, but I don’t feel you need to evade

@subTee 100. if you hash the entire scheduled task XML block, filter on that. it’s absolutely minimal/easy. @acalarch and I presented on that almost 5 years ago

@Antonlovesdnb @subTee thanks man! Im always honored by your kindness

@subTee .@neu5ron is/was years ahead of us defenders. What a legend.

@HackingDave micro level changes.. but since this isn’t a macro change, people lose heart or say nothing will ever change.

@HackingDave highschool alone could change a lot.. teaching kids how to use google in and of itself would be life changing for so many and across many industries. Schools got rid of lifeskills for whatever godforsaken reason, but think of a lifeskills w/ google & credit cards & so on…

Long thread but serious talk. Seeing a massive problem in the security industry today. We have brand new candidates lacking "hands on" experience coming into the workforce and finding it extremely difficult to find a job. 1/10

@Antonlovesdnb “need more than prevention, use xdr” - vendor “we prevent everything” - same vendor

Does this even add any value to customers ?

.@_humpalum from my team created a @sigma_hq extension for VS Code It's in an early stage but already pretty useful and we've already discussed the cool functions and snippets that he's going to add #Sigma #VSCode marketplace.visualstudio.com/items?itemName…

@jaredcatkinson love it. quantifying intent/action in relation to the importance/role of an asset/entity in relation to the possibility is nothing short of incredibly difficult.

To me this is an analogy for detection engineering. The first problem is understanding the phenomenon you are interested in (what is a tiger). The second problem is distinguishing said phenomenon from noise (it’s not as simple as orange animal with stripes).

@blubbfiction example for mac addresses, one model/log/siem uses ":" while another uses "." while another has no seperator. aa:bb:cc:dd:ee:ff vs aabb.ccdd.eeff vs aabbccddeeff

@blubbfiction in laymen terms (for myself), this alleviates/solves value transformations then yes? ie: field mappings aren’t enough, as different vendors log values and or parse/normalize values differently, not change field names.

The new capabilities of pySigma allow conversions of Sigma rules that were hard to implement in sigmac. Example: CrowdStrike data contains only the file name in ParentBaseFileName while ParentImage in Sigma rules contains the path. The new transformations solve this problem.

@ionstorm @cyb3rops what we need is sigma in cyberchef :)

@ionstorm @cyb3rops absolutely! i think only reason hasn’t caught on is usually peoples lack of imagination or more so like with so much in this - due to their siem/tools being so specific time to check something else out almost feels like a waste.

You have Multiple SIEM's, which data model did you choose and why? Every vendor has their own Data model, Splunk CIM, Microsoft ASIM, Elastic ECS, Google UDM, ArcSight CEF, QRadar LEEF, Cloud Information Model (CIM). Anyone else see a problem here?

@ionstorm @cyb3rops the best solution is Sigma coupled with a project documenting log sources original fields with value examples. after that universal schema is just a matter of creating a sigma translator to the original source

@ionstorm @cyb3rops example, one data source had been mapped to a vendors schema for 2 years, they knew it. only to then created their own w/ no regard. or how about the other vendor who left comments such as “original source of theft” in their initial code release.