OSCD Sprint #2: Simulation, Detection & Response
It's been a while since the First OSCD Sprint, dedicated to Threat Detection. This time we will focus on multiple areas of practical CyberSecurity. You can find a detailed backlog here. Below is a general description of the sprint and areas of work.
Goals
- Improve MITRE ATT&CK coverage of open source Sigma rules and Atomic Red Team tests- Improve cross-coverage of Sigma rules and Atomic Red Team tests
- Improve ATC RE&CT coverage of open source TheHive Responders
The plan
1. Two weeks-long sprint starts October 5, 20202. Participants pick up tasks from the backlog or contribute other analytics
3. Participants use special guideline which will help to get familiar with the workflow
4. Results will be collected, reviewed, and pushed to projects' repositories on GitHub
Threat Detection
There is the Sigma project — Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules.With time, the Sigma project ruleset has become the biggest (more than 600 rules) and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (i.e. Windows DNS Server RCE CVE-2020-1350 exploit), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK framework.
Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It's a good time to do so if you haven't yet.
There are some critical gaps in the Sigma ruleset and plenty of decent publicly available Threat Detection analytics that haven't been added to the ruleset yet. That's what we decided to focus on. A detailed backlog on Threat Detection could be found here.
Adversary Simulation
There is the Atomic Red Team project — small and highly portable detection tests based on MITRE's ATT&CK. It allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries.With time, Atomic Red Team tests set has become the biggest and the most mature community-driven Adversary Simulation tests set.
There are atomic tests that are not covered by Sigma detection rules. This means that the community has a way to automatically simulate adversarial techniques but no rules to detect them in the public repository of the Sigma project.
At the same time, there are Sigma rules that are not covered by Atomic Red Team tests. In other words, the community has a way to detect adversarial techniques but no tests to simulate them in the public repository of the Atomic Red Team project.
Here is the actual Atomic Red Team and Sigma projects' coverage of the ATT&CK framework. Techniques that are covered by Sigma rules highlighted in blue color, Atomic Red Team tests - in red, both - in purple (click to expand):
Microsoft Windows
Apple macOS
GNU/Linux
That's what we decided to focus on. A detailed backlog on Adversary Simulation could be found here.
Incident Response
There is the TheHive — the most powerful open source and free Security Incident Response Platform. It has a module called Cortex — Observable Analysis and Active Response Engine. It operates by two key entities, called Analyzers and Responders — simple Python scripts that utilize API to communicate with 3rd party systems and execute some actions:- Analyzers provide the ability to analyze observables (i.e. IP address, Domain name, File hash etc) via Cyber Threat Intelligence platforms (i.e. MISP), analysis systems (i.e. Cuckoo Sandbox) and lookup services (i.e. VirusTotal)
- Responders provide the ability to execute some Response Actions (i.e. block domain name on a DNS server, block IP address on a firewall etc) by executing these actions with Python scripts
With time, the community developed about 150 Analyzers, which provide the ability to automatically analyze most of the observables types by most of the existing platforms, systems, and services.
For some reason, it didn't happen the same way with the Responders — there are only 20 of them, and they are far away from covering most common cases with common systems.
Here is the actual TheHive Analyzers and Responders coverage of the RE&CT framework. Analyzers are belonged to the Identification stage, while Responders are mostly to the Containment, Eradication, and Recovery stages:
Current coverage is green, possible is yellow (click to expand)
That's why we've decided to focus on the TheHive Responders development this time. A detailed backlog on Incident Response could be found here.
Results
- Added 287 Sigma rules in total. 242 developed and 305 updated by OSCD participants (Pull Request). 45 rules added by OTR Community (Pull Request);- Developed 23 Atomic Red Team tests and updated 7 (Pull Request);
- Developed 24 TheHive Responders to automate response actions in Palo Alto NGFW, Duo Security, Gmail and Azure Active Directory (Pull Request);
- Developed 1 TheHive Analyzer to automate IOC and CVE analysis with Vulners.com (Pull Request).
It is second time we increased Sigma ruleset by more than 30%.
Summary published on Medium.
Participants
| 🇺🇸 Greg Howell | | Open Threat Research |
| 🇺🇸 Jose Rodriguez | | Open Threat Research |
| 🇺🇸 Nate Guagenti | | Open Threat Research |
| 🇺🇸 Patrick St. John | | Open Threat Research |
| 🇺🇸 Roberto Rodriguez | | Open Threat Research |
| 🇺🇸 Craig Young | | Tripwire |
| 🇺🇸 Daniel Weiner | | Independent Researcher |
| 🇺🇸 Hare Sudhan | | Independent Researcher |
| 🇺🇸 Jaime Flores | | Independent Researcher |
| 🇺🇸 John Lambert | | Microsoft |
| 🇺🇸 John Tuckner | | Independent Researcher |
| 🇺🇸 Ryan Plas | | Stage 2 Security |
| 🇷🇺 Denis Beyu | | Independent Researcher |
| 🇷🇺 Dmitry Uchakin | | Kaspersky Lab/Vulners.com |
| 🇷🇺 Igor Fits | | Independent Researcher |
| 🇷🇺 Ilyas Ochkov | | Independent Researcher |
| 🇷🇺 Maxim Konakin | | Independent Researcher |
| 🇷🇺 Natalia Shornikova | | IZ SOC |
| 🇷🇺 Teymur Kheirkhabarov | | BI.ZONE SOC |
| 🇷🇺 Vasiliy Burov | | Independent Researcher |
| 🇵🇱 Bartlomiej Czyz | | Independent Researcher |
| 🇵🇱 Jakob Weinzettl | | Tieto SOC |
| 🇵🇱 Mateusz Wydra | | Relativity |
| 🇵🇱 Tim Ismilyaev | | Mana Security |
| 🇹🇷 Ensar Şamil | | Independent Researcher |
| 🇹🇷 Furkan Çalışkan | | Ziraat Teknoloji |
| 🇹🇷 Semanur Guneysu | | DESTEL/SOC |
| 🇹🇷 Ömer Günal | | Independent Researcher |
| 🇦🇺 Jai Minton | | Independent Researcher |
| 🇦🇺 Jonathan Cheong | | Independent Researcher |
| 🇦🇺 Zach Stanford | | CyberCX |
| 🇨🇦 Avneet Singh | | Independent Researcher |
| 🇨🇦 Mangatas Tondang | | Independent Researcher |
| 🇫🇷 Grégoire Clermont | | Independent Researcher |
| 🇫🇷 Nabil Adouani | | TheHive/StrangeBee |
| 🇮🇳 Kiran Kumar | | Independent Researcher |
| 🇮🇳 Omkar Gudhate | | Independent Researcher |
| 🇦🇪 Victor Sergeev | | Help AG |
| 🇦🇹 David Straßegger | | Independent Researcher |
| 🇧🇷 Jonhnathan Ribeiro | | Independent Researcher |
| 🇩🇪 Thomas Patzke | | Sigma Project |
| 🇪🇸 Alejandro Ortuno | | Independent Researcher |
| 🇭🇺 Gyorgy Acs | | Cisco |
| 🇮🇱 Eli Salem | | Independent Researcher |
| 🇳🇱 Sander Wiebing | | NFIR B.V. |
 Daniil Yugoslavskiy |
| Atomic Threat Coverage |
| 🇸🇬 Gleb Sukhodolskiy | | Independent Researcher |