Defender Fridays Wrap-Up: December 2024

Email Threat Hunting: Detection as Code With Michael Robertson from Recon Info Sec

In this Defender Fridays session, Michael Robertson discussed advanced email threat hunting techniques using Sublime, an open-source email security tool. Robertson uses detection-as-code approaches, including Yara rules and message query language (MQL), to identify threats like OneNote file attacks, corrupted Office documents, and chain-link phishing attempts. The session highlighted the importance of email security, with Robertson sharing practical examples and hands-on labs that security practitioners can use to enhance their email threat hunting capabilities, emphasizing the value of behavior-based detection over traditional signature-based approaches.

Watch the full session

Links:

• Sublime's EML Analyzer

• CheckPhish

• Michael's Email Threat Hunting GitHub

• Sublime: Email Detection Engineering and Threat Hunting

• Sublime: Get started

• Macro Security for Enterprise Defenders blog by Eric

• Create a Canarytoken

• Azure Entra ID login token

The Role of Reverse Engineering in Modern Defense With Maxime Lamothe-Brassard of LimaCharlie

Maxime Lamothe-Brassard, CEO of LimaCharlie, joined us to discuss the evolving role of malware reverse engineering in modern security operations. He emphasized that while reverse engineering remains a valuable tool, organizations should weigh its cost against potential benefits, and advocated for simpler analysis methods like string analysis and sandbox detonation for most scenarios. The discussion highlighted that deep reverse engineering is often more valuable for strategic threat intelligence rather than day-to-day incident response, where quick, actionable insights are typically more critical.

Watch the full session

Links:

• Github: FLARE Obfuscated String Solver

• Portable Executable Scanner (pescan)

• Github: Malwoverview

• any.run

• Assemblyline

• Didier Stevens

Responsible Offense for Defenders With Bryson Bort of Scythe

In this final Defender Fridays session of 2024, Bryson Bort, CEO and Founder of Scythe, discussed how organizations should approach offensive security testing and adversary emulation. He highlighted that while dedicated red teams are a luxury most organizations can't afford, security teams should focus on developing "red capabilities" that can be integrated into regular operations. Bort highlighted the importance of responsible offensive testing that provides actionable value to defenders, advocating for a collaborative purple team approach rather than traditional penetration testing that often results in reports with limited practical benefit.

Watch the full session

Links:

• Choose Your Own Adventure: Group Interactive IR Scenario by Bryson Bort BSides Tampa 2024

• Github: Purple Team Exercise Framework

• The C2 Matrix

• Slingshot Linux Distribution

• Notion documentation guides

• Obsidian website