Welcome to Issue #2 of the Security Engineering Newsletter.

If you or someone you know has a SecEng blog, please send it to me at andrew@akatz.org! I need more stuff to read!

I am currently reading The Art of Mac Malware by Patrick Wardle and just want to say... this book is DAMN incredible. If you want to beef up your Mac security and internals knowledge and learn about malware, I strongly recommend it. If you are feeling uninspired, it's reading stuff like this that can get you going again.

To any of the 20+ people who subscribed so far, my sincere thanks! I was absolutely chuffed to see some familiar people subscribe and I feel pumped to write and share on this platform. As a token of my gratitude, here is a picture of my cat Mogwai.

-- Andrew

🔥
Want to sponsor this newsletter? Hit me up!

💡
SECURITY ENGINEERING
Security Engineering - A Guide to Building Dependable Distributed Systems

Ross Anderson passed away. Ross's book on Security Engineering (https://www.cl.cam.ac.uk/~rja14/book.html) is unmatched and has been pivotal in building my career. I would recommend at least reading chapter 3, "Who is the opponent" because it may rightly scare the shit out of you. He has also posted video lectures of his security engineering course at University of Cambridge on YouTube. He will be missed.


Python Security Engineering Example
What does typical, practical Python even look like in security engineering? Where do people use it?

I wrote a post about what I think is the prototypical Python example in security engineering. This is followed by a short tangent on leetcode (YAY!) in SecEng interviews and how to get started in Python.


GitHub - TracecatHQ/tracecat: 😼 The open source alternative to Tines / Splunk SOAR. Build AI-assisted workflows, orchestrate alerts, and close cases fast.
😼 The open source alternative to Tines / Splunk SOAR. Build AI-assisted workflows, orchestrate alerts, and close cases fast. - TracecatHQ/tracecat

Tracecat 😼 positions itself as an open source alternative to paid SOAR platforms. It looks like they are working hard to deliver on some core features this year. Reading through their docs, it seems they have their head on straight about AI features as well. I'm excited to check on it again to see how things look in a year or two.

Thoughts 🤔

  • How much will it cost to run this in AWS if you are a team that has a ton of playbooks and absolutely hammers their SOAR with events 24/7 (like some people I know)?
  • Will Tracecat be able to handle my crazy mad scientist playbooks with 30 webhooks and 1200 actions?

Asking the important questions here.


Delinea has cloud security incident in Thycotic Secret Server gaff
All your credentials are belong to us.

Kevin Beaumont has a write-up about an authorization bypass vulnerability in Delinea/Thycotic Secret Server and how the company seemed to have fumbled in the disclosure process.

Delinea say they believe no customer data was impacted. If you want to search your own Secret Server instance, Delinea has posted some SQL queries that you can create a report and search for IOCs with: https://support.delinea.com/s/article/KB-010572-How-do-I-remediate-Secret-Server-in-reference-to-the-Secret-Server-SOAP-vulnerability


US Cybersecurity Agency Will Review Malware Samples Sent by the Public
Previously reserved for government employees, Malware Next-Gen now allows submissions from any person or organization in the country.

Previously reserved for government organizations at the federal, state, local, tribal, and territorial levels, CISA's Malware Next-Gen now allows submissions from any person or organization in the country. But... you have to use a typical, terrible government form...and they won't tell you the results of your submission unless you register. Maybe I am being too harsh, but I am finding it difficult to be excited about this.


Deploying DynamoDB locally on your computer - Amazon DynamoDB
Learn how to download and deploy Amazon DynamoDB locally on your computer. Use DynamoDB local to develop and test code before deploying applications on the DynamoDB web service.

Random cool thing: Did you know you can run DynamoDB as a Docker container? Pretty nice for developing locally before creating resources in AWS.


NSA Publishes Guidance for Strengthening AI System Security
The National Security Agency (NSA) is releasing a Cybersecurity Information Sheet (CSI) today, “Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.” The CSI is

NSA published a guide on strengthening AI system security. Somewhat unsurprisingly, sound practices and requirements for IT environments apply to AI systems too, although there is a significant amount of AI-specific information here that is worth the read. Prompt injection attacks, protecting model weights, red teaming, rolling back models, and so on...

Side note: AI red teaming sounds like a really interesting job.


Johan Berggren and Matt Linton's talk from Black Hat Europe 2023 discusses burnout on security teams. How can we make sure that we are able to recognize these signs in ourselves and others? They submit that there are two types of burnout: situational and chronic. Situational tends to be a fast onset thing that surfaces when working an extremely difficult incident while chronic occurs over a long period of time.

I would say there are definitely multiple levels of burnout. There is the low-to-mid-level burnout where you are overworking yourself, possibly not going outside for days, and easily irritated. And then there is the earth-shattering burnout I have only read about where you pretty much cannot bring yourself to work for 9+ months.

👂
LISTEN
‎The Cybersecurity Defenders Podcast: #117 - Digital Forensics with Carlos Cajigas, CTO at Covert Bit on Apple Podcasts
‎Show The Cybersecurity Defenders Podcast, Ep #117 - Digital Forensics with Carlos Cajigas, CTO at Covert Bit - Apr 16, 2024
‎Risky Business: Risky Business #745 – Tales from the PANageddon on Apple Podcasts
‎Show Risky Business, Ep Risky Business #745 – Tales from the PANageddon - Apr 16, 2024
‎The Future of Security Operations: The NFL’s George Griesler on securing the Super Bowl and reducing risk through collaboration on Apple Podcasts
‎Show The Future of Security Operations, Ep The NFL’s George Griesler on securing the Super Bowl and reducing risk through collaboration - Apr 16, 2024
‎Soft Skills Engineering: Episode 404: Interview comedy and talking pay while new on Apple Podcasts
‎Show Soft Skills Engineering, Ep Episode 404: Interview comedy and talking pay while new - Apr 15, 2024
‎Explainercast: Episode 16: ChatGPT on Apple Podcasts
‎Show Explainercast, Ep Episode 16: ChatGPT - Apr 11, 2024
🎲
MISCELLANEOUS
Lessons after a half-billion GPT tokens - Ken Kantzer’s Blog
My startup Truss (gettruss.io) released a few LLM-heavy features in the last six months, and the narrative around LLMs that I read on Hacker News is now starting to diverge from my reality, so I thought I’d share some of the more “surprising” lessons after churning through just north of 500 million tokens, by my […]

For those of us working with AI, LLMs, etc., be sure to check this one out. This post by Ken Kantzer has some knowledge-bomb-level takeaways on prompt engineering. I was surprised that NOT enumerating an exact list or instructions in the prompt produced better results. I was not surprised, however, by this line:

"Return nothing if you don’t find anything” – is probably the most error-prone prompting language we came across. Not only does GPT often choose to hallucinate rather than return nothing, it also causes it to just lack confidence a lot, returning blank more often than it should."

My Cat Alerted Me to a DDoS Attack

🚨 Cat saves company thousands of dollars in AWS expenditure by waking up owner to fend off DDoS attack. My cat just wakes me up at 4 am for no reason.


Jeff McJunkin on bypassing AV on Windows. This is old (2020), but still great, and I was reminded of it today and wanted to share it.

💼
REMOTE SECURITY ENGINEERING JOBS
Security Engineer (Remote)
Remote - U.S.
Senior Security Engineer, Detection & Response (Remote, US)
Remote - United States
Senior Security Engineer
Remote
Staff Cybersecurity Engineer
Blacksburg, VA; Remote, US
Warner Music Inc. - Senior Security Engineer
A little bit about our team: Global team of dynamic, creative and collaborative problems solvers working together to build highly secure and scalable solutions to drive innovation and operational excellence. This represents a technical and experienced position in the IT organization. This position will be called upon to represent IT organizations by internal and external organizations. An individual in this position is responsible for making the production systems more reliable by performing day-to-day operations including system monitoring, troubleshooting, problem identification, resolution and restore the following established and documented procedures and with minimal direction. This group is the digital thought and technology collective working with world class creative Media & Entertainment executives and their teams; acting as the trusted operators and strategic partners with them to deliver the best possible outcomes. Why this could be your next big break: This is an opport
Security Engineering Manager
United States
👋
THANKS

Thank you for reading this week's issue, and see you next week! If you have any feedback, hit me up!