Welcome to Issue #7 of the Security Engineering Newsletter.
Hello! I recently went on The Cybersecurity Defenders Podcast to speak about security automation and SOAR platforms. It was an absolute pleasure speaking with Christopher Luft from Lima Charlie about all these things! đ You can check it out below on Apple Podcasts.
In other news, I spent some time in Chicago over the weekend and checked out the river walk. Hopefully I don't insult anyone by saying this, but the Chicago riverwalk reminded me a bit of the Thames river walk in London. Highlights: The Northman, Venteux, Art Institute of Chicago.
As a final note, I am going to start writing more long-form posts rather than newsletters. I really enjoyed writing seven of these so far, but the short-form posts are not doing it for me. I'll still be writing stuff about security on this site â just not in this format.
â Andrew
ackatzOne of the things I've been working on the past few weeks is making some new updates to my macOS app seclook. I added some bug fixes and a few new ways to scan indicators, including GreyNoise and ThreatFox.
seclook is a macOS/Swift app that sits in the background and monitors your clipboard, sending any IP, SHA2/MD5 hash, or domain to services like AbuseIPDB, VirusTotal, GreyNoise, and more. If any scanned item has a bad reputation score, you get a notification! It is free and open source, so please check it out! I also have a Python CLI version which is a bit different but still could be useful to you.
telekom-securityI have been experimenting with tpotce from Deutsche Telekom and I absolutely love it. In the past, I have experimented with cowrie (SSH honeypot) which is amazing in its own right. With tpotce, however, cowrie is just one of the many honeypots included in the package. It is incredibly easy to spin up and there are numerous guides online to get it running.
One of the interesting things I've been doing with tpotce is setting up a safe way to query the underlying Elasticsearch via API. My setup involves running a FastAPI app on Fly.io that can make API calls to the tpotce Elasticsearch via a Tailscale tunnel. There has been a lot of careful consideration in heavily restricting the subnet and Tailscale ACLs involved in all of these interactions. It is a bit complex for a newsletter post, but in the end, I am able to make queries like this:
GET https://[redacted]/api/v1/ip_reputation?ip_address=60.173.28.112
{
"ip_address": "60.173.28.112",
"ip_meta": {
"city": "Hefei",
"country": "China",
"latitude": 31.8564,
"longitude": 117.2661,
"asn": "Chinanet",
"asn_number": 4134
},
"count": 221,
"prevalence": "high",
"results": {
"protocol": [
"telnet"
],
"type": [
"Honeytrap",
"Suricata",
"Cowrie"
],
"dest_port": [
2323,
23
]
}
}At this point I have a budget IP reputation API on my hands. Who knows, I may fit it into seclook as an optional source of lookups.
Piotr Szwajkowski
Here is a sign your company is above the security poverty line: you built your own SIEM in-house. Piotr Szwajkowski details the ins-and-outs of how they do this at Rippling. I have heard of a few other companies doing this, and you have to imagine this opens up a lot of budget for other nice tooling.
Hyas
I tried out YARA-X (rewrite of YARA in Rust) last week. YARA-X's Python API was 72.4% faster in scanning a ~22.4M file using YARA-X compared to normal YARA. That's pretty awesome! Congrats to Victor Alvarez (developer of YARA) and everyone else involved. Hopefully there will be more and more reasons soon to migrate to the new version.
Have you tried adding custom instructions to ChatGPT to try to get better responses? I saw this post on HN above and I'm currently using it. Hard to say how big of an improvement it is yet, but so far I am getting much more succinct and less-flowery responses. If you have any custom instructions that you use as a security engineer, I would love to hear from you!
Thank you for reading this week's issue.
Discussion