Welcome to Issue #7 of the Security Engineering Newsletter.

Hello! I recently went on The Cybersecurity Defenders Podcast to speak about security automation and SOAR platforms. It was an absolute pleasure speaking with Christopher Luft from Lima Charlie about all these things! 😁 You can check it out below on Apple Podcasts.

‎The Cybersecurity Defenders Podcast: #128 - Exploring SOAR with Andrew Katz, Senior Information Security Engineer at Jamf on Apple Podcasts
‎Show The Cybersecurity Defenders Podcast, Ep #128 - Exploring SOAR with Andrew Katz, Senior Information Security Engineer at Jamf - May 29, 2024

In other news, I spent some time in Chicago over the weekend and checked out the river walk. Hopefully I don't insult anyone by saying this, but the Chicago riverwalk reminded me a bit of the Thames river walk in London. Highlights: The Northman, Venteux, Art Institute of Chicago.

As a final note, I am going to start writing more long-form posts rather than newsletters. I really enjoyed writing seven of these so far, but the short-form posts are not doing it for me. I'll still be writing stuff about security on this site – just not in this format.

– Andrew

💡
SECURITY ENGINEERING
GitHub - ackatz/seclook: Automatic security lookups from your clipboard
Automatic security lookups from your clipboard. Contribute to ackatz/seclook development by creating an account on GitHub.

One of the things I've been working on the past few weeks is making some new updates to my macOS app seclook. I added some bug fixes and a few new ways to scan indicators, including GreyNoise and ThreatFox.

seclook is a macOS/Swift app that sits in the background and monitors your clipboard, sending any IP, SHA2/MD5 hash, or domain to services like AbuseIPDB, VirusTotal, GreyNoise, and more. If any scanned item has a bad reputation score, you get a notification! It is free and open source, so please check it out! I also have a Python CLI version which is a bit different but still could be useful to you.

GitHub - telekom-security/tpotce: 🍯 T-Pot - The All In One Multi Honeypot Platform 🐝
🍯 T-Pot - The All In One Multi Honeypot Platform 🐝 - telekom-security/tpotce

I have been experimenting with tpotce from Deutsche Telekom and I absolutely love it. In the past, I have experimented with cowrie (SSH honeypot) which is amazing in its own right. With tpotce, however, cowrie is just one of the many honeypots included in the package. It is incredibly easy to spin up and there are numerous guides online to get it running.

One of the interesting things I've been doing with tpotce is setting up a safe way to query the underlying Elasticsearch via API. My setup involves running a FastAPI app on Fly.io that can make API calls to the tpotce Elasticsearch via a Tailscale tunnel. There has been a lot of careful consideration in heavily restricting the subnet and Tailscale ACLs involved in all of these interactions. It is a bit complex for a newsletter post, but in the end, I am able to make queries like this:

GET https://[redacted]/api/v1/ip_reputation?ip_address=60.173.28.112

{
    "ip_address": "60.173.28.112",
    "ip_meta": {
        "city": "Hefei",
        "country": "China",
        "latitude": 31.8564,
        "longitude": 117.2661,
        "asn": "Chinanet",
        "asn_number": 4134
    },
    "count": 221,
    "prevalence": "high",
    "results": {
        "protocol": [
            "telnet"
        ],
        "type": [
            "Honeytrap",
            "Suricata",
            "Cowrie"
        ],
        "dest_port": [
            2323,
            23
        ]
    }
}

At this point I have a budget IP reputation API on my hands. Who knows, I may fit it into seclook as an optional source of lookups.

Security data lakehouse and modular design | Rippling
Explore how Rippling innovated SIEM with a security data lakehouse, leveraging Snowflake for a cutting-edge cybersecurity approach.

Here is a sign your company is above the security poverty line: you built your own SIEM in-house. Piotr Szwajkowski details the ins-and-outs of how they do this at Rippling. I have heard of a few other companies doing this, and you have to imagine this opens up a lot of budget for other nice tooling.

YARA is dead, long live YARA-X
For over 15 years, YARA has been growing and evolving until it became an indispensable tool in every malware researcher’s toolbox.

I tried out YARA-X (rewrite of YARA in Rust) last week. YARA-X's Python API was 72.4% faster in scanning a ~22.4M file using YARA-X compared to normal YARA. That's pretty awesome! Congrats to Victor Alvarez (developer of YARA) and everyone else involved. Hopefully there will be more and more reasons soon to migrate to the new version.

No alt text provided for this image
👂
LISTEN
‎Risky Business: Risky Business #750 -- Why Microsoft’s Recall is an attacker’s best friend on Apple Podcasts
‎Show Risky Business, Ep Risky Business #750 -- Why Microsoft’s Recall is an attacker’s best friend - May 28, 2024
‎Soft Skills Engineering: Episode 410: Guaranteed cost-of-living raises and my manager doesn’t like me on Apple Podcasts
‎Show Soft Skills Engineering, Ep Episode 410: Guaranteed cost-of-living raises and my manager doesn’t like me - May 27, 2024
‎Security Cryptography Whatever: ekr on Apple Podcasts
‎Show Security Cryptography Whatever, Ep ekr - May 24, 2024
‎The Cybersecurity Defenders Podcast: #127 - Intel Chat: Alabuga Leaks, LockBit, EBury, E2EE & Dropbox on Apple Podcasts
‎Show The Cybersecurity Defenders Podcast, Ep #127 - Intel Chat: Alabuga Leaks, LockBit, EBury, E2EE & Dropbox - May 23, 2024
🎲
MISCELLANEOUS
Stolen from a reddit post Adopt the role of [job title(s) of 1 or more subject m... | Hacker News

Have you tried adding custom instructions to ChatGPT to try to get better responses? I saw this post on HN above and I'm currently using it. Hard to say how big of an improvement it is yet, but so far I am getting much more succinct and less-flowery responses. If you have any custom instructions that you use as a security engineer, I would love to hear from you!

🫡
THANKS

Thank you for reading this week's issue.