Alignment in cyber tradecraft and Resilient Detection

18 de December de 2025 Por Leave a Comment

For years, I have been focused on finding the optimal way to detect threats. However, this is a highly complex task, as there is no absolute method to definitively determine whether an activity is malicious, unless you only rely on low-level indicators. It is true that certain behaviors can be considered malicious in most cases, such as a process loaded from AppData using a TrustedInstaller token, but this is not something that occurs frequently. In other scenarios, such as the use of anti-debugging techniques in BOF (Beacon Object File) through NtDelayExecution, identifying the optimal detection point can range from simply searching for the sleep import in an executable to inspecting thread call stacks. While both approaches are effective, thread stack analysis is significantly more precise, though at a higher cost than analyzing an executable’s import table. This reality highlights the need to establish a strategy that enables defensive teams to do more with less, which is why I will discuss the concept of Resilient Detection, not only from a technical standpoint but also from a broader, strategic perspective.

First and foremost, it is necessary to understand the current ecosystem. Today, and particularly in this part of the hemisphere, the digital ecosystem is composed of Windows and Unix systems, major public cloud environments (Azure, GCP, and AWS), the global supply chain, Artificial Intelligence and essential services such as email, identity, and application platforms. The dynamic nature of this ecosystem introduces new needs, opportunities, and challenges for adversaries and, in parallel, new detection strategies.

Read the article

ATT&CK: The game of squares

17 de June de 2024 Por

The world of cybersecurity is becoming increasingly complex and challenging. With each new threat, from harmful capabilities such as malware or 0 days, to changes in infrastructure, having moved from on-premise to hybrid or full-cloud environments, there is an urgent need for schemes and methodologies to help address these adversities. We not only seek to minimize the impact of any threat, but also to achieve a level of detection and neutralization with which we feel confident, although this can often give a false sense of security.

Today we find various schemes that help us understand and contextualize the modus operandi of hostile actors. From the widely recognized MITRE to the Malware Behavior Catalogue (MBC), through Microsoft Attack Kill Chain and Lockheed Cyber Kill Chain, these tools offer us a guide to understand and confront the tactics, techniques and procedures (TTPs) used by adversaries. Within this scenario MITRE ATT&CK is the most recognized scheme. Its matrix breaks down the different techniques, tactics and procedures (TTPs) used by hostile actors.

Imagen 1: Ejemplo de Mitre ATT&CK
[Read more…]

Threat Clustering and Threat Hunting

11 de June de 2024 Por

In this article we are going to learn about threat clustering carried out by Threat Hunting teams. But, first of all, let’s define some terms.

First of all, Threat Hunting refers to the art of proactively searching for and detecting cybersecurity threats hidden in an environment. It is a dynamic and strategic approach that allows defenders to discover and neutralize potential dangers before they escalate, making it an essential skill in today’s cybersecurity landscape.

Second, Threat Hunting analysts, also called Threat Hunters, need techniques to identify and track APTs and their activities. APT refers to an advanced, persistent threat that operates covertly and with malicious intent over an extended period of time. To accomplish their goals, APTs use sophisticated techniques, tactics and procedures (TTPs) to gain access to high-value networks and information systems, such as government, financial, military and other systems.

[Read more…]

Horizontal and Vertical Hunting with Persistent Engagement

7 de March de 2024 Por

In today’s cybersecurity landscape, the concept of Threat Hunting or the proactive pursuit of cyber threats begins merely as soon as an actor establishes their foothold in an organization, limiting the detection capabilities and overall understanding of a campaign that a hunter may have regarding the offensive capabilities of their adversary. In this context, I propose and intend to tackle these challenges with two main tactics that hunters can employ to disrupt the offensive operations of state actors and non-state actors more effectively: Horizontal Hunting and Vertical Hunting, while integrating elements of persistent engagement to enhance visibility.

Initially, as is usual in hypothesis-driven Threat Hunting, we formulate hypotheses based on intelligence feeds to conduct proactive searches within our environment. However, this approach often lacks precision in both operational capabilities and strategic insight into the adversary’s intentions. This can be attributed to various factors, including:

  • Limited intelligence collection capabilities
  • Technical expertise of both hunters and Threat Intelligence teams  
  • Uncertainty about the proactivity of the hunting team
  • Urgency to deploy detection capabilities (which may not always be effective) or publish articles by the Threat Intelligence team.  
[Read more…]