Ross Wolf

Speed matters in threat hunting. We built high-performance historical hunting and detection backtesting at Sublime that scales to millions of messages without slowing analysts down. Read the technical deep dive: sublime.security/blog/how-we-bu…

@sublime_sec TL;DR How to make ~90% similarity search Instead of one hash for a 100% match, 1. Use many min hashes (400-500) 2. Group those into a handful of big hashes (10-20) 3. Find an exact matching big hash to get close 4. Count matching small hashes to calculate similarity

I'm definitely feeling warm and fuzzy hashes this holiday season. Fast similarity is something that stumped me for a very long time, but MinHash turned out to be an elegant solution! Wrote up how to build it from scratch on the @sublime_sec blog

We’re excited to announce that Sublime has raised $150M in a Series C led by @Georgian_io, joined by new investors @Avenir_Growth, @01Advisors, @jonoberheide, and @nicoleperlroth, and existing investors @IndexVentures, @IVP, @slow, and @CitiVentures. This year we launched ASA and ADÉ, our AI agents that autonomously triage threats and auto-adapt coverage, freeing security teams from repetitive work and delivering rapid, tailored defenses. We’ve grown our customer base 4x since the beginning of the year while maintaining zero enterprise customer churn since company inception. This funding accelerates our vision to deliver autonomous email security that adapts to each organization's unique needs, stopping sophisticated attacks while eliminating the manual work and vendor bottlenecks of legacy solutions. Thank you to our customers, partners, and investors for being on this journey with us. 🔗 Read more: sublime.security/blog/sublime-r…

go get yourself some @MITREattack T1667 coverage

Introducing email bomb protection from Sublime: a powerful solution for automatically detecting, remediating, and triaging email bombs. In these attacks, an adversary will send hundreds or thousands of emails at once to flood an inbox and obfuscate the malicious intent. Learn how our solution works and how to use it: sublime.security/blog/email-bom…

this was a very cool problem to solve with @filar! It's such a natural evolution of the platform, which has been group-centric since day 1. Fellow nerds, look out for an engineering post about how "fuzzy" grouping works and the scaling+realtime challenges we had to overcome

@jkamdjou Mona Q. Lisa or MQL for short

the “email security mona lisa”

brb updating my linkedin profile to say “Built technology masterpiece”

@sublime_sec if loving angles is wrong, I don't wanna be right

any guesses? wrong answers only ⬇️

Our limited drop Sublime DEF CON t-shirt returns this year with a new design we can’t wait to share. Hint: let's just say it's pretty rad 👍 As always, we’ll post our location during the con, so you can swing by to pick one up and say hello to the team.

@rseymour youtu.be/Y65FRxE7uMc

I can't forgive myself for this typographic incident.

@drewbadtweets clearly, this platform gets better by the day

@drewbadtweets i thought it could be turned off

@jonathanbourke @sublime_sec If you need an invite link sublimecommunity.slack.com/join/shared_in…

@jonathanbourke @sublime_sec Happy to help you debug! Do you mind hopping in our community slack so we can take a look? Twitter replies are just so painful for the back and forth, and I find it way more productive

@sublime_sec my server had a power outage, which borked (a technical term) some docker processes. Back up and running, but Sublime is not ingesting email - no new detections, nothing recent when searching. Any pointers?

@Andrew___Morris down with the sickness or bust. i'll wait

I typo'ed my link. Live now at twitch.tv/andrew_morris

@M_haggis @sublime_sec 🔥 Thanks Haag!

This is slick! @sublime_sec has a playground to upload a eml and test your sigs against things. Based on this - sublime.security/feeds/core/det… I modified the POC to just output to .eml - github.com/xaitax/CVE-202… poof - 💨 playground.sublimesecurity.com/?id=23be7eb4-0…

if a rule is too complex to understand, the alert is even worse

@br0k3ns0und you should write the zen down! our v1 was github.com/elastic/detect… but could use a refresh!

For the curious observers, some things that _can_ make a detection rule bad: - non-performant - overscoped - underscoped - too brittle - too comprehensive - too atomic - too complex - non readable Basically need a zen of rule writing, similar to python

@GabrielLandau @andythevariable I think you need to use the triforce with the master link

@andythevariable It’s brand new 😔. The tool cracked while I was pressing the master link on. Now it’s stuck on the chain and I’m not sure how to get it off.

💩

@GabrielLandau @Andrew___Morris obviously not as generalizable but could get more bang for the buck

@GabrielLandau Could also cheaply hash the first 1K with an 8 byte hash and the full contents as a SHA256 hash. One fast, one slow. Since many binaries are aligned by the KB or half-KB (as @Andrew___Morris can attest), there's not as much entropy in the file size as you'd think.

If you publish anything that involves a list of hashes, please consider publishing tuples of (hash,size) instead. This enables lookups to skip expensive hashing work if the size does not match anything in the set. 64-bit file sizes can be encoded as 8 bytes concatenated onto the end of hashes, turning a 32-byte SHA256 into a 40-byte tuple. If space is an issue and you control both the hash generation and verification logic, you can alternatively truncate SHA256 to 192 bits to get 32-byte (hash,size) tuples.