At Stamus Networks, we are wrapping up another great year, so it is time to again review the news, releases, and threat hunting materials that we shared on our blog in 2023. This was a big year for our blog, with 55 blog posts published to date! We have shared product updates, open-source resources, threat intelligence, and educational materials, all in an effort to celebrate, inform, and equip our community of cyber defenders all over the world.
As we did last year, we are sharing our top 10 most-read blog articles and series from 2023. We include a link to each blog post in case you missed it, along with some related reading material you might enjoy.
#10 - The Hidden Value of Suricata Detection Events: NSM-Enriched IDS Alerts - By Eric Leblond
Starting at number ten, “The Hidden Value of Suricata Detection Events: NSM-Enriched IDS Alerts” explores the evolution of Suricata detection events, emphasizing the wealth of information now embedded in alerts, including valuable Network Security Monitoring (NSM) data. The Stamus Security Platform (SSP) consolidates this native Suricata data into enriched "alert" events, making it more accessible to analysts. We challenge the perception of Suricata as a "legacy" IDS, promote its potential for building a robust Network Detection and Response (NDR) system, and encourage users to explore its capabilities beyond basic alerts and signatures.
If you like this, you should check out: “The Security Analyst’s Guide to Suricata” - The first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.
#9 - MISP Series - By Alexander Nedelchev
Number nine on our list is actually a three part series on the Malware Information Sharing Project (MISP). This is a free, open source threat intelligence platform, and this series highlights the benefits of using MISP. Additionally, we walk SSP and SELKS users through the process of integrating MISP to harness the power of threat intelligence sharing within their organizations.
If you like this, you should check out: “An Introduction to Cyber Threat Intelligence” - This blog provides a brief introduction to threat intelligence, detailing the types of threat intelligence and its importance in making a more secure organization.
#8 - Just Released: Suricata 7 - By Andreas Herz
2023 marked the release of Suricata version 7, which was the first major Suricata update in over 3 years. This blog post provided a list of the major upgrades users can enjoy and included a list of the features already made available to existing Stamus Security Platform users. In addition, we gave readers a broad overview of the history of Suricata and Stamus Networks’ involvement in the Suricata project.
If you like this, you should check out: “Accelerate Suricata Rule Writing with Suricata Language Server v0.9.0” - If you are interested in Suricata, and you want to perfect your Suricata rule writing skills, then this blog can help you get the Suricata Language Server (SLS) set up. SLS provides rule (signature) syntax checking, rule-writing hints, and auto-completion to your preferred editor.
#7 - The Hidden Risks of False Positives: How to Prevent Alert Fatigue in Your Organization
The number seven blog on our list discusses the challenges posed by alert fatigue in Intrusion Detection Systems (IDS) and highlights the prevalence of false positives the typically plague large organizations. This blog post identifies factors leading to alert fatigue and emphasizes the impact on productivity, efficacy, and cost. SSP is presented as a solution, leveraging automated event triage, data enrichment, and Declarations of Compromise™ to reduce the number of security events requiring investigation and improve incident response times, ultimately eradicating alert fatigue and allowing security teams to concentrate on proactive measures.
If you like this, you should check out: “Lost in the Noise: 4 Weak Attack Signals your IDS will Miss” - This white paper details common missed attack signals that are commonly missed by IDS (homoglyphs, unauthorized user activity, malware C2 beacons, and anomalous network activity). Here you will find information on these attack signals as well as information on how they can be detected by a modern network detection and response (NDR) system.
#6 - Introducing Open NRD: Newly Registered Domain Threat Intel Feeds for Suricata - By Peter Manev
At #6, we have our introduction to Open NRD Threat Intel feeds. This year, we announced our Suricata threat intel feeds for newly registered domains, which serve to provide a streamlined source of threat intelligence across many domain registrars worldwide. These feeds are intended to produce additional pieces of data that can be used as a risk indicator in a threat hunting process or incorporated into an automation to uncover malware and APT groups’ tools and tactics.
If you like this, you should check out: “Threat Hunting with Suricata and Newly-Registered Domain Threat Intel (Open NRD)” - The first in a now four-part series, this blog shows Open NRD in action, detailing several use-cases where the new Suricata NRD threat intel feeds can be used to initiate threat hunts.
#5 - Behind the Curtain Series
This series focuses on Fancy Bear and Cozy Bear (APT28 and APT 29, respectively). Both of these advanced persistent threats originate within Russian-sponsored military and government groups and have been responsible for numerous high-profile breaches in the last decade. These blogs dive deeper into the history, tools, tactics, and procedures of these groups, as well as provide insight into how organizations can protect themselves using the Stamus Security Platform.
If you like this, you should check out: “Threats! What Threats?” - If you are interested in learning more about additional threat types, how they impact your organization, and how they can be detected, then this series is for you. This blog post is the first in the series, however you can easily find additional entries on remote access trojans, cryptomining, shadow IT, and more.
#4 - Use SELKS to Solve the Unit 42 Wireshark Quiz - By Rositsa Kyuchukova
Our open source resources have always been popular with our readers, so it is no surprise that the fourth most popular blog of 2023 discusses how SELKS can be used to solve the Unit 42 Wireshark quiz. Unit 42 routinely releases quizzes designed to allow cybersecurity professionals to practice their skills with Wireshark. At Stamus Networks however, we like to showcase how SELKS is just as effective at achieving the same goal, if not more so.
If you like this, you should check out: “Unlocking the Secrets of Forensic Investigations: Solving the SANS Forensic Quiz using SELKS” - Similar to the blog on solving the Unit 42 quiz with SELKS, this blog post details how SELKS can be used to solve the SANS forensic quiz. Read on to learn more about the SELKS SN-SANS-MTA-Training dashboard.
#3 - Jupyter Playbooks for Suricata Series - By Markus Kont
Keeping with the theme of open source popularity, number three on our list is a four-part series on Jupyter notebooks. This series, written by Markus Kont, goes into great detail on his very own Stamus Labs project – Jupyter Playbooks for Suricata. Jupyter notebooks are a powerful platform for exploring Suricata EVE data, and the playbooks are a way for Suricata users to explore Suricata EVE JSON logs and extract useful insights from EVE NSM data.
If you like this, you should check out: “A Practical Guide to Small Office / Home Office Network Visibility with SELKS: Part 1 - Equipment Selection” - If you are interested in Suricata and Stamus Labs open source software, then you might be interested in learning how to install and use SELKS, Stamus Networks’ turn-key Suricata-based IDS/NSM and threat hunting system.
#2 - Malware PCAP Analysis Made Easy Series - By Peter Manev
Although a relatively new blog series (at the time of publishing this blog post), “Malware PCAP Analysis Made Easy” has rocketed near the top of our list. This is probably due to its simplicity and practicality. In this series, readers can follow along an example of quick, easy malware PCAP analysis. The examples are straightforward, provide surprising insights into malware behaviors, and are easily replicable with any live malware sample a reader might stumble upon in the real-world.
If you like this, you should check out: “Suricata Cheat Sheet: JQ Commands” - This cheat sheet provides a number of other helpful JQ commands for parsing Suricata NSM data.
#1 - Stop the leak! Detecting ChatGPT used as a channel for data exfiltration - By Peter Manev
It seems that 2023 was the year of Artificial Intelligence, with Generative AI and machine learning dominating conversations across industries. It is no surprise then that our blog post on detecting ChatGPT as a channel for data exfiltration has become our most popular blog post of 2023. In this blog, you will see not only how ChatGPT use can be detected within your organization, but also how ChatGPT can even be used to write Suricata rules detecting ChatGPT.
If you like this, you should check out: “Addressing Cloud-Related Threats with NDR: Key Takeaways from the 2023 PwC Cybersecurity Outlook Report” - As we saw with ChatGPT, new developments in technology mean new cyber security risks for organizations. To learn more about some of these risks and how NDR systems can help, take a look at this reflection on the 2023 PwC Cybersecurity Outlook Report.
Conclusion
Hopefully you have enjoyed taking a look at this year's most popular blog posts. We are excited to continue providing you with relevant information that can help you improve your organization’s network security in the coming year. As always, make sure to subscribe to the Stamus Networks Blog, the monthly Stamus Spotlight Newsletter, Twitter, Facebook, LinkedIn, and Discord to stay informed!
