The Githubification of InfoSec

Summary

Introduction

Organized Insight

T1015 Description
T1015 Examples and Mitigations
T1015 References
  • It is curated. ATT&CK manages complexity by organizing techniques based on attacker objectives, grouping similar techniques together, and relating them to affected platforms.
  • It is contributor friendly. In a recent release, most of the new techniques were contributed by researchers outside of MITRE. Since ATT&CK documents techniques seen in actual attacks instead of just theoretical ones, drawing from the community is essential as researchers around the globe see different attacks.
  • It is extensible. The most popular version of ATT&CK is for enterprise networks, but already there are efforts to adapt ATT&CK to cloud, mobile, IoT, industrial controls, and the router space. This adaptability simplifies the process for defenders to learn new domains.
  • Threat actors are described by the ATT&CK techniques they use. Defenders can then evaluate their defensive controls against the subset of techniques used by the specific threat actors they face. Here is an example of Palo Alto describing the ATT&CK techniques used by the Sofacy threat actor:
Sofacy actor MITRE ATT&CK techniques described by Palo Alto Unit 42
  • The ATT&CK navigator tool by MITRE allows one to select multiple threat groups and see where they overlap and where they differ. This example shows APT 28 (in orange) and the additional techniques used by APT 29:
MITRE ATT&CK Navigator selecting APT28 and APT29
  • Another open source project, Atomic Red Team, by Red Canary creates test cases for ATT&CK techniques. With a mantra of “trust but verify”, this approach lets defenders find blind spots early. Here are the test cases supported by the project at the time of writing (in red):
Atomic Red Team Coverage map

Actionable Analytics

  1. A Sigma rule contains not only the detection logic but also additional context (log sources, platforms, MITRE ATT&CK techniques, etc.) and it is easier to read than most vendor-specific query languages. The rule is therefore self-documenting, making it easier to explain and to share. It even facilitates the documentation process within a team.
  2. Researchers may want to contribute their detection idea to a wider community. With Sigma, they simplify the process of translating their detection logic to a multiple back ends because Sigma does it for them. This spreads the idea further with less work needed by others. Software developers can pre-package Sigma rules with their product to make it easier for defenders to alert on high impact issues (security relevant error conditions, anomalies, or sensitive operations). Researchers creating tools for Red Teams can provide detection starting points for their attack techniques in the form of Sigma rules as a way to embrace purple teaming.
  3. They want to be vendor neutral. Security advisories often want to provide actionable information to speed defenders but avoid making vendor specific endorsements. They could complement their use of Yara and Snort with Sigma.

Repeatable Analysis

What is Jupyter?

  • A fundamental component is the notebook. A notebook is a file where that combines markup, code, and data. Markup is used to provide description and exposition. The notebook can load data from a data source, search through it using data analysis commands, and then render it using a diverse set of powerful visualization tools. Notebooks are usually written in Python (though not required) and draw upon the rich set of open source libraries for processing data such as Pandas. If one wants to go beyond searching to the realm of data science or machine learning, that’s within reach as well. Notebooks are not a niche technology — there are over 5 million of them on GitHub.
  • Notebooks are shareable. Notebooks are files, so one can publish them anywhere. GitHub has native support for notebooks so others can easily preview them. When someone else downloads a notebook, they can follow along on the analysis, or they can apply the methodology to their data by re-running it. This ability to execute the analysis against similar data is a powerful concept that allows one to encapsulate expertise. Now any publisher of a notebook is not only a teacher, but also a virtual team member.
  • It can run anywhere. The browser-based notebook requires a “kernel” to run. Kernels are computing processes that execute Python, .NET, and other languages and return the results to the notebook UI. Notebooks can run in almost any browser — Windows, Linux, Mac and mobile platforms. The kernels can run locally or remotely, on-premises or in the cloud, and every major cloud vendor supports them.

An Example Notebook

Obfuscated PowerShell command flagged by a rule
After decoding the Base64 command, the following shellcode is found
Searching for strings to find the callback domain
Disassemble the shellcode and annotate the APIs to discover its functionality
Summarizing its functionality, it uses Windows APIs to connect to a domain (InternetConnectA,. HttpSendRequestA, etc) and download commands that it runs directly in memory (VirtualAlloc), which matches the description: “Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.” — Dave Kennedy (@HackingDave)
Jupyter Notebooks that can run live on mybinder.org hosted at https://github.com/JohnLaTwC/Shared/tree/master/notebooks

Promoting Community

Office 365 Attack Matrix incorporated into MITRE ATT&CK
Example cloud technique contributed by Swetha Prabakaran
Sigma rule for finding suspicious PowerShell commands

The Githubification of InfoSec

  • It’s a model of using open approaches that stack together to compound learning and improve efficiency.
  • It’s a metaphor about collaboration where contribution is a virtual “pull request” away.
  • It’s a site, GitHub.com, that has collaboration tools. While projects can embrace the concepts of Githubification without being hosted on GitHub, GitHub simplifies collaboration and improves transparency of the projects hosted on it.
Githubification of InfoSec — A stackable set of practices to speed infosec learning

Wrap Up and Call to Action

  • Support Sigma rules in your product such as JoeSecurity has done
  • Publish a notebook that uses data from your product
  • Support Python interfaces to your data
  • Publish a notebook demonstrating a technique
  • Contribute Sigma rules to a repository
  • Add new attack techniques or examples to MITRE ATT&CK
  • Publish data-sets useful for testing Sigma rules such as the MORDOR project.
  • Ask a team member to research these technologies and share them with the team
  • Ask peer companies if they have experience with ATT&CK, Sigma, or Jupyter notebooks
  • Send your team members to training on Python or notebooks
  • Use your voice as a customer to encourage vendors to support ATT&CK, Sigma, and Jupyter
  • Publish advisories with Sigma rules
  • Reference MITRE ATT&CK techniques in advice and guidance

Acknowledgements

References and Links

Further Ideas

  • Link to Sigma and Yara rules
  • Provide logs where the TTP was demonstrated such as done with the MORDOR project.
  • Document attack examples for techniques that are lacking public information.
  • Increase coverage of network-based visibility of technique
  • Improve the mitigation resources in the ATT&CK repository
  • Support more complex rule types such as correlation rules, joins, aggregates, and more parsing primitives
  • Support a GUI for authoring rules and validating logic
  • Have a simplified data model for common entity types (e.g. “write a rule on processes”, not Sysmon event ID 1 or Windows Event ID 4688).
  • Build Infosec Python libraries for defenders
  • Better visualization support for common infosec scenarios: tree views for visualizing process tree hierarchies and timeline views for visualizing attacker activity.
  • Distance functions for clustering algorithms for common data types (IPs, domains, process command lines, etc)
  • Common data access layer to abstract querying back-ends, handling authentication methods, and so on.

--

--

--

Distinguished Engineer, Microsoft Threat Intelligence Center, @JohnLaTwC

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

SDC Will be Available on CoinTiger on 14 April. 1,000 USDT to Give Away!

TOP 4 HIGH-END ANTI-THEFT DEVICES SHOULD BE BOUGHT TODAY

TOP 4 HIGH-END ANTI-THEFT DEVICES

MEGATOKEN Will be Available on CoinTiger on 7 September. 1,300,000,000,000 MEGATOKEN to Give Away!

SQUIRT Will be Available on CoinTiger on 14 December 10,560,000,000,000 SQUIRT to Give Away!

Big Data: Privacy

WRITING CUSTOM SNORT RULES

REVO/USDT Will be Available on CoinTiger at 18:00 on Apr 22, 2021, 15,700 REVO to give away!

How to Protect Digital Identity of Your Customer in Omnichannel Banking?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Lambert

John Lambert

Distinguished Engineer, Microsoft Threat Intelligence Center, @JohnLaTwC

More from Medium

5 Steps to Start Using Forecasting Techniques to Anticipate Cyber Threats

Important Resources for Threat Detection Research and Development

Better know a data source: Process integrity levels

Technical analysis of enterprise ransomware — Part One