SANS Threat Analysis Rundown in Review: Breaking Down March 2025’s Discussion

On this month’s SANS Threat Analysis Rundown, I was joined by Zack Allen, Senior Director of Security Research and Detection at Datadog, and author of the excellent weekly newsletter Detection Engineering Weekly. We covered a range of topics, from detection engineering and threat intelligence to group naming and recent compromises. Here's a recap of the discussion.

Detection Engineering and Threat Intelligence

Zack began by discussing his Detection Engineering Weekly newsletter, a resource he has maintained for over two years, in which he curates cybersecurity news, threat intelligence, and detection research. He explained that his sources include Reddit communities, RSS feeds, and security Slack groups, highlighting the importance of staying informed across multiple platforms. We discussed how we missed the height of “threat intel Twitter” (those were the days!), and I noted that Zack’s newsletter is one of the sources I use every month to prepare for STAR. We discussed how detection engineering and threat intelligence are complementary, with Zack emphasizing that good detection engineers must understand threats deeply to write effective detections.

Annual threat reports are also great resources for threat intelligence, and this is the time of the year when many of them are released. There’s a cool repository that contains many of these reports that I recommend checking out: Awesome Annual Security Reports. These reports are not just for passive reading—organizations should use them to inform their detection strategies by identifying common intrusion chains, prioritizing patching, and refining detections based on emerging threats. It’s worth looking at security reports from our own organizations, too: Datadog’s State of Cloud Security Report and Red Canary’s 2025 Threat Detection Report.

Recent Threat Reports

Zack shared several resources from his most recent Detection Engineering Weekly newsletter, including a TrustedSec blog outlining how red teams help improve blue team defenses by simulating real-world attacks. As Zack pointed out, red teamers make excellent detection engineers because they understand how attacks get caught and can design better detection rules. Zack and I agree that organizations don’t need perfect security—even one well-placed detection could block an entire intrusion chain. Regular adversary simulations combined with threat intelligence can dramatically improve an organization’s resilience.

In our chat, we highlighted several recent threat reports that are notable and worth knowing about. These include:

• Fake browser updates: There’s an ongoing threat of fake browser update campaigns, where attackers use malicious pop-ups to trick users into downloading malware. These campaigns often impersonate Google Chrome, Microsoft Edge, and Firefox update alerts, making them highly convincing. Once clicked, the user unknowingly downloads a JavaScript payload or malicious installer that initiates the infection. As Zack emphasized, these attacks remain an effective initial access technique, often leading to ransomware infections or credential theft. Organizations can mitigate this risk by blocking JavaScript execution from untrusted sources and educating users on verifying browser updates through official settings, not pop-ups.
• GitHub actions: Adversaries are increasingly using GitHub repositories to distribute malware-laced open-source packages. Zack gave an overview of a GitHub Actions attack in which an adversary compromised a popular GitHub workflow, allowing them to steal secrets from thousands of developers.
• ESXi exploitation: We reviewed a blog detailing active exploitation of VMware ESXi environments, emphasizing the growing adversary interest in virtualization infrastructure. The exploitation involved leveraging misconfigurations and unpatched vulnerabilities to gain control over ESXi hypervisors, allowing adversaries to deploy ransomware or pivot deeper into networks. Zack pointed out that because many organizations overlook virtualization security, ESXi hosts often lack proper logging, monitoring, and segmentation, making them attractive targets. Defenders should apply the latest patches, restrict ESXi access, and enable robust logging to detect suspicious activity early.
• Corporate espionage: Zack gave an overview of a recent corporate espionage case, where an insider at Rippling allegedly stole trade secrets from a competitor, Deel. The insider searched Slack more than 6,000 times for sensitive data, raising the question of whether organizations are monitoring for this type of activity. Zack pointed out that Slack does not log search history, meaning many organizations have no way to detect similar insider threats.

Tools and Methods for Analysts

There are tools and methodology available to analysts and defenders, including GuardDog, an open-source tool that detects malware within Python, npm, and Ruby packages. Zack’s team at Datadog found that adversaries are now specifically targeting security researchers and red teamers by planting malware in offensive security tools, and this tool can help identify that.

We also discussed a contentious topic, the naming of threat actors, as outlined in this blog post from Ryan Dewhirst. We acknowledge that there are pros and cons of different naming conventions, and that while names can be marketing-driven, they also help analysts quickly identify adversary clusters.

A blog about Lazarus Group infrastructure analysis was another source Zack highlighted in his newsletter due to how it demonstrated infrastructure hunting techniques using pivoting methods to track threat actor IP addresses and domains. Zack highlighted how open-source intelligence (OSINT) tools allow defenders to uncover relationships between domains, VPS providers, and malicious infrastructure. I added to that, that better attribution tracking and sourcing could help the community avoid duplicating work.

Wrapping up

We closed by highlighting a few events to check out:

• SANS Ransomware Summit 2025 – Free, virtual event focused on the latest ransomware threats and defenses
• SANS AI Cybersecurity Summit 2025 – Explores how AI is shaping cybersecurity from both an offensive and defensive perspective
• RSA Conference 2025 – Zack and his Datadog teammates will present four talks at RSA Conference, covering cloud security, detection engineering, and adversary techniques.

Make sure to tune in for next month’s STAR Livestream and check out Zack’s Detection Engineering Weekly newsletter for more threat insights!