Welcome to Issue #4 of the Security Engineering Newsletter.
SecOps Alert Enrichment: Part 2 - Tor Exit Nodes
The second post in my SecOps Alert Enrichment series is about correlating source IPs in alerts with Tor exit nodes. The premise of this series is that, although many SecOps teams have implemented basic alert enrichment, I submit that there are a lot of other niche, high-value enrichment use cases that teams out there may have not considered yet.
Methods for Finding Threat Signals - Greg Lesnewich @ NetNoiseCon
Greg Lesnewich gave a talk about the different ways to find anomalies within your data that indicate maliciousness. I felt like I took a lot away from it and highly recommend checking it out. Here is a brief overview of the methods described in Greg's talk:
- Amplification – take a distinct example of malicious activity and try to create a more broad detection from it
- Filtering – filter down benign/irrelevant signals to create a distinct detection (opposite of amplification)
- Layering – layer multiple weak signals on top of each other
- Hashing – hash some parts of a file/artifact together and then search for it at scale
pyinfra
pyinfra automates infrastructure using Python. It’s fast and scales from one server to thousands. Great for ad-hoc command execution, service deployment, configuration management and more.
Remind you of Ansible? Here is a talk that I found by Daryl Tester from PyCon AU 2023 that goes over how pyinfra differs from Ansible. Although the project is not new, it is the first I am hearing of it and will definitely be trying this out at some point.
bruno - Opensource IDE For Exploring and Testing APIs
It's been my experience that the prevailing desktop API platforms out there have way too many features and suffer from heavy enshittification and price gouging. If that has been your experience too, you should check this out.
Bruno is an open-source desktop/CLI/IDE API platform available on Mac, Windows, and Linux. You can use git or any version control of your choice to collaborate with your team over your API collections.
The DFIR Report: From IcedID to Dagon Locker Ransomware in 29 Days
A new DFIR report dropped! The DFIR Report will always be one of my top information security resources. Reading their reports provide so much perspective on where to place coverage and craft detection rules, whether you are a Windows shop or not.
Software Supply Chain Threats
A primer on software supply chain threats put together by SLSA ("supply chain levels for software artifacts" or just "salsa"). The page includes real-world examples of threats and how the SLSA framework helps against those threats.
Rumor that OpenAI is stealth-testing GPT-4.5 or GPT-5 on LMSYS
Earlier this week, a model called gpt2-chatbot became available on AI user-benchmarking site LMSYS. The author asserts that the performance of gpt2-chatbot and the lack of general information about it may be a cover for OpenAI stealth-testing one of its new models on the site. I did a few tests on Monday with the model and was thoroughly impressed in line with the author. However, I wasn't able to test as much as I would like since it quickly became rate-limited as the news proliferated.
Hacking Detergent DRM - Bob Cassette Rewinder
This guy who reverse engineered his tiny dishwasher is my hero. Put this on my list of a million other things that I want to try.
⭐ Security Operations Engineer 1 @ Jamf
⭐ Senior Security Operations Engineer (Azure) @ Jamf
Security Engineer, Threat Detection @ Stripe
Senior Security Engineer, Corporate Security @ Gitlab
Thank you for reading this week's issue, and see you next week! If you have any feedback, hit me up!
Discussion