In my previous post, I declared my undying love for continuous integration and deployment capabilities applied to Detection Engineering. Now, let's put the theory into practice! Today, this post will address the unit-testing's part, applied to Splunk.
When you have the chance to catch an attacker live, it is always a delight to monitor 🍿 and dissect their moves in real-time, even a posteriori. To make it happen, you must have some kind of Full Packet Capture in the first place, then, of course, you need a thorough reverse-engineering of the malware will document the encoding, fields, and structures. Ok, you have all the materials needed, now how can we transform the pcap into human transcripts? "You just have to parse the application layer" As usual, while it may seem easy in theory, it is a bit more complicated in real life (especially during an Incident Response engagement, so it is better to be prepared!), this post describes my experience to write such dissector for the last 10 years.
The SOCs are currently suffering from their growth, plagued by bad quality assurance and an extreme fragility to changes. This situation used to be the pain and butter of the developers in the 90s. Fortunately, the Agile manifesto came out and a new way of working took off. This post describes an alternative way to run the detection pipeline.
Unless you are an anti-virus vendor, the management of Yara rules quickly become messy in a team environment as everything becomes eventually inconsistent. This post introduces how we tackled these issues...