Threat researchers, malware analysts, and digital forensic specialists often share advice, hints, and ideas with the community through scientific papers, blog posts, or tweets. It is admirable and often includes beneficial information for anyone who reads their advice, but the impact of the information can be significantly improved. In this…

New Features, Tools, and Community Contributions We have decided it would be a great idea to publish quarterly updates on everything that is happening within the Sigma project, and have created this publication on Medium for that purpose. …

In recent months I’ve noticed several attempts to define the term detection engineering and thought I should share my thoughts on this topic in a short blog post. This blog post tries to cover all possible purposes of detection engineering to develop a broad definition of the term, excluding only…

The recent revelations regarding the Solarwinds compromise and the problem of detecting adversary activity that aligns with legitimate user activity reminded me of a solution that we had developed in a small team over a decade ago. …

Maximizing the effect of defensive research We live in challenging times. As a security researcher focusing on threat detection I frequently notice and comment on the increasing use of off-the-shelf tools by nation state actors. My team and I monitor that landscape closely and noticed an increase of tool publications…

When we first talked about Sigma in 2016, I was fascinated by a use case that would solve a major problem when SIEM analysts integrate logs of unknown systems and applications. I am talking about the “bundle with software” use case in which a developer provides Sigma rules with his/her…

Just recently I stumbled over a Twitter poll created by Andrew Thompson asking if defenders (blue team) should show the simulated adversaries (red team) how they caught them after an exercise. I was one of the few that answered “no” and gave some explanation.

A good tweet answers all the important questions, gives credit, links to more information and ideally transports the essence of what you would like the reader to take away. The important questions are: What is it about? (a title or short description) Who did it? (credits / twitter handle /…

On Friday 4th reports of a massive data leak affecting hundreds of German politicians and public figures hit the news. …