Skip to content

DEW #135 - Chaos Detection Engineering, Connecting Policy to IR playbooks & Spooky AWS Policies

Original URL

Introduction

This article summarizes Detection Engineering Weekly (DEW) #135, focusing on chaos detection engineering, linking policies to incident response playbooks, and analyzing AWS policies. It covers various aspects of detection engineering, including practical applications, threat landscape updates, and open-source tools.

Main Points

Chaos Engineering in Incident Response

  • Kevin Low proposes using chaos engineering in incident response. This involves intentionally injecting faults into systems to test resilience and improve reaction times.
  • The process includes defining the steady state (baseline for MTTR/MTTD, uptime of log sources), generating a hypothesis (e.g., SIEM detection time for malicious domain queries), running experiments (simulating attacks), verifying effects (checking for alerts and notifications), and improving the system based on the results.
  • This approach validates detection and response infrastructure in production, going beyond traditional breach and attack simulation (BAS) products that primarily focus on rule coverage.

Open Source Supply Chain Compromises Retrospective

  • Filippo Valsorda analyzed open-source supply chain attacks from 2024-2025, highlighting phishing as a primary root cause.
  • The analysis also identified "control handoff" as a significant attack vector, involving social engineering and insider threats (e.g., xzutils).
  • The fragility of the open-source ecosystem is emphasized, with concerns about burnout among maintainers due to demands from large organizations.

Detection-Driven Approach to Incident Response

  • Regan Carey introduces the Incident Response Diamond concept to link non-technical playbooks to specific detection rules, ensuring policy compliance.
  • The key is maintaining a lineage of how playbooks are invoked by rules, connecting security responses to governance, risk, and compliance (GRC) policies.
  • This requires strong alignment between security response and GRC teams and meticulous documentation to keep rules up to date.

AWS Policies Management

  • David Kerber discusses the importance of AWS policies in reducing the attack surface, but cautions about the complexity of cloud identity models.
  • The article outlines different types of AWS policies for managing access across users, resources, service accounts, and GitHub Actions.
  • Kerber open-sourced iam-collect, a tool to retrieve AWS policies locally for analysis.

Auth0 Security Tool: CheckMate

  • Shiven Ramji introduces CheckMate, a free Auth0 tenant configuration tool operating as a CSPM.
  • CheckMate identifies misconfigurations and detects environmental drift through various checks, including runtime checks for custom Auth0 runners.
  • It helps find hardcoded passwords and vulnerable npm packages.

Threat Landscape Updates

  • The United Nations hosted a convention on cybercrime in Hanoi, Vietnam, with 72 countries signing a treaty to combat international cybercrime. The treaty includes standards for electronic evidence collection and data sharing.
  • Will Thomas dissected the ICO report on Capita Group’s BlackBasta ransomware breach, providing insights from BlackBasta chat leaks and comparing them to security program failures.

Vulnerability Spotlight

  • CVE-2025-59287 is a WSUS unauthenticated RCE vulnerability, with Microsoft releasing an out-of-band update. Batuhan Er provides a vulnerability walkthrough and PoC.
  • The Huntress team found in-the-wild exploitation of CVE-2025-59287, emphasizing the need for rapid response to emerging vulnerabilities.

AI Model Security

  • VirusTotal integrated into Hugging Face to help identify malicious AI models.

Open Source Tools

  • auth0/auth0-checkmate: An Auth0 tenant configuration tool.
  • cloud-copilot/iam-collect: A tool for retrieving AWS IAM policies.
  • EmergingThreats/pdf_object_hashing: A technique for comparing PDF documents.
  • chainguard-dev/malcontent: A supply-chain compromise detection system.
  • ForensicArtifacts/artifacts: A machine-readable knowledge base of forensic artifact information.

Conclusion

DEW #135 covers a wide array of topics relevant to detection engineering, from practical methods like chaos engineering to emerging threats and valuable open-source tools. It emphasizes the importance of proactive security measures, robust incident response strategies, and continuous monitoring in a constantly evolving threat landscape.