Detection engineering is a field of cybersecurity focused on designing, implementing, and maintaining detection methods to identify potential security threats within an organization’s environment. It goes beyond simply setting up alerts and involves a strategic approach to understanding threat behaviors, identifying IOCs (indicators of compromise), and developing detection logic that accurately identifies malicious activity without generating excessive false positives. Detection engineering is essential for enhancing an organization’s threat detection capabilities and improving its overall security posture. 

By developing precise detection logic and continuously refining detection mechanisms, detection engineers help reduce the TTD (time to detect) and TTR (time to respond) to incidents. This proactive approach ensures that security teams can quickly act on alerts and prevent potential breaches. 

Key Concepts in Detection Engineering

1. Detection Logic: This refers to the specific rules, queries, and analytics developed to identify malicious activities based on observed behaviors and IOCs. Effective detection logic is tailored to an organization’s environment and considers various data sources like network traffic, endpoint logs, and other services.
2. False Positives and False Negatives: A false positive occurs when a benign action is incorrectly flagged as malicious, while a false negative is when a malicious action goes undetected. Detection engineering aims to minimize these errors to ensure accurate and actionable alerts.
3. Behavioral Analysis: Unlike static detection methods that rely solely on IOCs, behavioral analysis involves monitoring for abnormal patterns of behavior that may indicate a threat, such as unusual login times or data exfiltration attempts. This approach helps in detecting novel and evolving threats but requires a predefined baseline of “normal” behavior.
4. Threat Hunting: Threat hunting is a proactive approach to detecting threats by searching through networks and systems to identify suspicious activity. Detection engineers may assist with creating hunting hypotheses and work with threat hunting teams to validate detection logic to develop improved analytics, uncovering hidden threats that automated systems might miss.

Tools of the Trade

Detection engineers use a variety of tools and standards to find and respond to threats. Certain tools are optimized for different functions, including file analysis, network analysis, and log analysis.

1. File-Based: These tools are designed to identify malware or suspicious activity based on file patterns, signatures, or behaviors.
   1. YARA is a tool used by detection engineers to identify and classify malware based on patterns in files or processes. YARA rules consist of strings and conditions that define what constitutes a match, making them a powerful resource for identifying threats.
2. Network-Based: These tools monitor network traffic to detect suspicious activities or intrusion attempts.
   1. Suricata: An open source network intrusion detection and prevention system (IDS/IPS) that analyzes network traffic in real-time. It uses signature-based rules to identify threats, such as detecting attacks based on known network behavior or patterns. It can also perform network session decoding and analysis, acting as a sort of network flight recorder, generating audit records for all activity on the network.
   2. Snort: Snort is another popular open source IDS/IPS tool that uses rules to inspect network traffic and identify threats based on known attack signatures.
   3. Zeek: An open source network analytic and audit engine with the capability to identify, decode and generate audit records for numerous relevant network protocols. Zeek provides a complete domain specific language for network protocol analytics, and also supplies a number of frameworks for the development of plugins as well as interfaces for applying threat intelligence to the task of network analysis.
3. Log-Based: These tools analyze system or application logs to detect unusual patterns that may indicate security incidents and are often used in concert.
   1. Sigma: An open standard for writing detection rules that can be applied to log data. It provides a generic rule format, which can then be translated to different SIEMs.
   2. Wazuh: An open source security monitoring platform that integrates log analysis, intrusion detection, file integrity monitoring and vulnerability management. It can monitor logs from various sources and create alerts based on preconfigured or custom rules.

Common Problems

Scale and Resources

While detection engineers might like to secure organizations against all types of threats, engineers are constrained by both resources and manpower. No organization can protect against every threat, and so they must tailor detection engineering efforts to their specific environment. To do this, organizations need to refine their approach to focus on the attack vectors that they are most vulnerable to.

Context is the key word here—an organization’s industries, products, IT systems, and even geopolitical risks need to be considered. Cyber threat intelligence, a closely related field, can help define these contexts. One common approach is to focus on an organization’s industry vertical. For example, a marketing company based in the United States will face different threats than an energy company in Asia.

Reducing False Positives

An inherent difficulty faced by detection engineers is in defining detection methods that catch threats without overwhelming analysts with false positives. Below is a helpful chart that illustrates this concept:

The potential error rate can be reduced through careful development of detection rules and rigorous testing of these rules in complex environments. Rules should be vetted against known threats as well as edge cases and benign examples.

For example, a detection rule that looks for malicious macros in a Microsoft Word document should detect malicious macros consistently, while not generating false positives on normal documents.

Naming Conventions

Once a threat is identified and detection rules are defined and tested, they are then integrated into the tools that SOC teams use to monitor networks and are often shared with other security teams. Naming and describing these rules accurately can be challenging—especially when the indicators they detect are complex or obscure. Standardization is important here, and organizations can identify standards that help with organization and labelling to make management of large detection libraries easier.

Concluding Thoughts

Detection engineering is a cornerstone of modern cybersecurity, providing the framework for identifying and responding to threats effectively. By giving SOC teams the information they need to detect and respond to emerging threats, detection engineering will remain an essential discipline for maintaining robust security defenses.

Discover how OPSWAT’s MetaDefender InSights Threat Intelligence can give your organization a critical advantage when it comes to preventing cyberattacks—talk to an expert today.

Cybercriminals and threat actors continually evolve their tactics to deceive and exploit users. One of the most persistent threats is smishing—a blend of SMS (text message) and phishing attacks. Recently, smishing campaigns have increasingly leveraged themes from the United States Postal Service (USPS), making them particularly dangerous and difficult to detect when targeted directly at users via text message.

How does this attack work?

First disclosed in late June of this year, users recently received social engineering messages via mobile SMS with USPS-themed lures using this basic format:

[‎USP⁠S Notice]: Your shipment has been processed at our facility but is currently on hold due to incomplete address information. To facilitate timely delivery, we request you verify your address through the link provided below: hXXps://cutt[.]ly/kefjZuIG?KrK=agsoqsnEdd?spt=dKfL5GVQaY
Wishing you an exceptional day from the USPS team.

The URL shortener link redirects to an attacker-operated site:

hXXps://usoo.qygwdvpr[.]top/?session=256196fd967slv&user=193
>> hXXps://usoo.qygwdvpr[.]top/4b8ee6/GOEAEZ/CxJPFKuAA4A_Vh8PPl/AESkk4e?9_IkyAH/mN4XAhHeAEiTAK95suA_tkAKAAVTnAGpu

In terms of the mechanics of the exploit itself, urlscan.io captures the redirector and landing page for the phishing site, which presents a USPS Online lure.

https://urlscan.io/result/6770bd32-a452-43ee-ac7d-80946ad5ae8c

The page requires the user to click the Continue button to progress forward in the phishing kit. The next page solicits personal information from the user, including shipping address and phone number. Further interaction may also prompt the user for more sensitive information, such as login credentials and personally identifiable information under the guise of verification of identity.

From this landing site that the attacker controls, they can compromise the intended target in any number of ways – by having the victim enter their personal information into a form, by asking them to download malicious files, or even drive-by downloads on vulnerable browsers.

The real danger presented by this kind of attack is that it leverages the victim’s trust in a public institution like USPS and presents a landing site that is convincing enough to appear legitimate. Package and order delivery lures are commonplace in the threat landscape, given that many people may be expecting a purchase to arrive at any given point. Common clues that could trigger suspicion—like grammatical errors or odd page layouts—are not present. As a result, this kind of smishing can be devastatingly effective.

The Role of Threat Intelligence

In cases like these, threat intelligence is an important tool for stopping bad actors by focusing on the infrastructure and domains they use. Forcing bad actors to rebuild their infrastructure by disrupting their normal patterns drives up the cost of these campaigns and slows them down.

InQuest’s research uncovered some of the domains and proxies used by this group. Domain registration details and resolution show that the threat actor is abusing Cloudflare as DNS hosting and cloud proxy:

QYGWDVPR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
qygwdvpr.top. 1800 IN SOA jean.ns.cloudflare.com. dns.cloudflare.com. 2344052238 10000 2400 604800 1800
qygwdvpr.top. 21600 IN NS margo.ns.cloudflare.com.
qygwdvpr.top. 21600 IN NS jean.ns.cloudflare.com.
usoo.qygwdvpr.top.  300 IN  A   104.21.72.55
usoo.qygwdvpr.top.  300 IN  A   172.67.175.168
104.21.72.55 AS13335 | US | CLOUDFLARENET
172.67.175.168   AS13335 | US | CLOUDFLARENET

The domain has been utilized as far back as June, with the operator using another subdomain:

emv1.qygwdvpr.top  104.21.72.55    ip  A  2024-06-16T10:19:27  2024-07-11T12:40:38
emv1.qygwdvpr.top  172.67.175.168  ip  A  2024-06-16T10:19:27  2024-07-11T12:40:38

Nameserver analysis provides a set of domains with matching attributes that may be associated with this same cluster of activity:

twqkztxr.top
jgjqqkow.top
mrbtrzqz.top
jdsdgfrp.top
ievksdde.top
mtzcoets.top
ffohrmuv.top
mqeuwcve.top
qvmqfkyy.top
tvebrkvj.top
bezizesf.top
kwwqwtgl.top
mfqyzqaf.top
wrofpeqe.top
jmfllkrr.top
udwmarew.top
TWQKZTXR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JGJQQKOW.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MRBTRZQZ.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JDSDGFRP.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
IEVKSDDE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MTZCOETS.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
FFOHRMUV.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MQEUWCVE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
QVMQFKYY.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
TVEBRKVJ.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
BEZIZESF.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
KWWQWTGL.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
MFQYZQAF.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
WROFPEQE.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
JMFLLKRR.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com
UDWMAREW.TOP  2024-06-16  Gname.com Pte. Ltd.  ns.cloudflare.com  REDACTED FOR PRIVACY  complaint@gname.com

Conclusions

Smishing attacks, especially those leveraging USPS-themed lures, represent a growing threat in the cybersecurity landscape. These attacks are designed to exploit users’ trust in well-known institutions like the USPS, making them particularly effective and dangerous.

Recognizing and understanding these smishing techniques is the first step in defending against them. By staying informed and cautious, users can avoid falling victim to these sophisticated scams. Furthermore, leveraging threat intelligence to uncover and disrupt the infrastructure behind these attacks is essential in mitigating their impact.

InQuest InSights Threat Intelligence Feeds

InQuest continually monitors the cyber threat space, broadly collects indicators of compromise, and curates them for incident response and threat intelligence use cases. Our InQuest InSights threat intelligence feeds provide bulk download or API query access to our actionable indicator data. Contact us for access to these and thousands of other active, relevant indicators to help your defenders uncover evil and reduce risk today!

Intro

Glancing at the present-day threat landscape, ransomware is top of mind whenever an incident starts flooding the news cycle. It is a constantly growing problem that seems to know no bounds, no organization is immune, and everyone is a potential target. The large number of companies leveraging cloud services and systems always connected to the internet equates to a target-rich environment. Though most actors tend to lean towards financial gain, the interconnectivity of systems across different industries and their associated verticals provides a wide variety of opportunities for impact based on other motives. This is especially worrisome with election cycles on the horizon and the need to secure the systems vital to fair elections. The growth of ransomware has escalated to the point of third-party actors offering ransomware-as-a-service and other illicit products via underground markets for would-be attackers.

Past to Present

Ransomware has been a problem since the [1989 AIDS Trojan, also known as PC Cyborg], which was delivered via floppy disks. The demanded ransom was in the range of hundreds of dollars. A paltry sum compared to the amount listed in ransom notes seen on impacted systems today. Email-based phishing scams were uncommon at the time to paint a picture of the threat landscape in the late 80s/early 90s. Fast forward to today, and we see ever-increasing complexity in the file tradecraft used. Emails with malicious attachments remain the most prevalent, though more sophisticated adversaries have been observed obtaining privileged access such as the case with the Colonial Pipeline event where attackers gained VPN access through an exposed employee password from a previous data breach event.

The Human Cost

Due to the scale of present-day ransomware incidents, recovery and resuming operations can be costly even in cases where ransoms are paid. The time put into remediation and bolstering security after the breach are additional costs that are not often reported in depth. This is particularly problematic for organizations in sectors where ransoms are unlikely to be paid such as government, healthcare, and education. The downstream effects are devastating, costing countless man-hours and in the case of hospital breaches, lives. During the height of the COVID-19 lockdown, several ransomware gangs agreed not to target hospitals to minimize loss of life. Operators associated with cl0p and Maze at the time spoke out against targeting patient-facing health organizations, insisting that their targets are primarily commercial labs and pharmaceutical entities that can afford the hefty ransoms.

Ransomware As An Economy

Like other commercially distributed malware and related “tools”, anything from payloads to fully configured and ready-to-execute ransomware campaigns are available via underground markets with a variety of payment models that rival legitimate software as a service (SaaS) products. Like SaaS offerings, RaaS empowers criminals with low technical aptitude to carry out ransomware attacks for a modest fee or subscription plan. Individual components such as obfuscation tools designed to decrease the likelihood of detection, initial access resources, and exfiltration tools are available and can be customized to an attacker’s specifications and needs. So long as these attacks yield success, a secondary market will exist to facilitate future incidents.

Parting Thoughts

Without a doubt, the most impactful way to defend against ransomware and data extortion actors is to prevent the intrusion in the first place by heading off attacks in the early phases. While prevention is not always possible, it is critical to detect and disrupt attacks as early as possible in the attack lifecycle. Critical intelligence about the ecosystem of ransomware operators and RaaS affiliates shows that partnerships with initial access brokers (IABs) are the enabling element for the vast majority of these attacks.