Apr 18, 2022

7 min read

OSCD Sprint # 2: Detection, Simulation & Response, results (EN)

Original publication date — September 10, 2021

Open Security Collaborative Development (OSCD) is an open international cybersecurity specialist initiative. We collaborate on common problems and share knowledge.

Two-week sprints were chosen as the work format. This time is enough to plunge into the essence of the problems being solved, while the limited time prevents endless rework in pursuing perfection.

The first OSCD sprint took place in October 2019 and was called “Threat Detection”. That time we focused on threat detection rules development in Sigma format to improve MITRE ATT&CK® coverage.

We’ve increased the ruleset of the Sigma Project by more than 40%, contributing 144 new rules. The sprint summary was published on Medium and the initiative’s website.

The second sprint took place in October 2020, which we are going to talk about in this article.

Preparation

Before the start of the sprint, it was necessary to carry out preparatory work. In this section, we will consider in more detail what had to be done to make it convenient and easy for the participants to complete the tasks.

Shortly before the sprint, MITRE ATT&CK released a new version of the framework with sub-techniques. We updated the entire Sigma repository ruleset (reviewed 644 and updated 513 rules) with new MITRE ATT&CK technique IDs (tags) in order to develop a detailed backlog.

We developed and published the backlog, where for each task we specified the Estimated Time to Complete (ETC) and required knowledge. We also developed the How-To section, listing learning materials to get the required knowledge for every task. This way, participants could define the individual scope of tasks that they could realistically solve during the sprint, taking into account task description, amount of time they could spend on them, and their skillset.

We created Issues to the targeted projects’ repositories on GitHub based on the backlog. Maintainers created separate branches in the repositories for the OSCD, special thanks to them for this. Participants described the tasks in detail and gave all the background needed to solve them in those Issues, and also provided links to relevant research and resources, and to previous community work on each task. This helped to bring the work during the sprint as close as possible to real interactions within the open source community. Having gained such experience, it will be easier for the participants to further contribute to various projects after the end of the sprint.

We developed MITRE ATT&CK® Navigator layers to visualize coverage of adversary techniques by threat detection rules (Sigma) and threat simulation tests (Atomic Red Team): one general Sigma + ART layer and separate layers for each operating system Sigma + ART Windows | Sigma + ART GNU\Linux | ART macOS.

The same way we visualized current and possible TheHive Analyzers and Responders coverage of the ATC RE&CT framework’s Response Actions.

The coverage visualizations of ATT&CK and RE&CT frameworks will help us estimate the real effect of our joint efforts.

Beginning

On 5th October 2020, the second OSCD sprint began under the title “Simulation, Detection & Response”. Unlike the first sprint, in which we focused only on threat detection, in the second sprint it was decided to give the participants the opportunity to demonstrate their knowledge in the field of attack emulation and incident response. Therefore, tasks for two other projects were added to the general backlog:

Atomic Red Team — small and highly portable detection tests based on MITRE’s ATT&CK. It allows every security team to test their controls by executing simple “atomic tests” that exercise the same techniques used by adversaries. With time, Atomic Red Team tests set has become the biggest and the most mature community-driven Adversary Simulation tests set;
TheHive — the most powerful open source and free Security Incident Response Platform. It has a module called Cortex — Observable Analysis and Active Response Engine. It operates by two key entities, called Analyzers and Responders — simple Python scripts that utilize API to communicate with 3rd party systems and execute specific actions.

How it was

We believe that the right choice of communication method during the sprint helps in the long run to build the right skills for working with open source repositories and communication within the community.

Therefore, during the sprint, participants communicated in Issues and Pull Requests to the targeted projects’ repositories on GitHub. We gave up chat rooms because they weren’t that useful last time. In spite of this, there were many good examples of open and productive communication. For example, while developing analytics to detect Lateral Movement techniques, participants tagged Teymur Kheirkhabarov, the author of several studies on the topic, in a discussion on GitHub. He got in touch quickly and helped to find the solution.

Comments or corrections to other participants’ decisions were made in the form of suggestions, inviting them to consider or try a different approach. All suggestions were backed up by justification with specific examples and references.

Geography: 🇺🇸 🇷🇺 🇵🇱 🇹🇷 🇦🇺 🇨🇦 🇫🇷 🇮🇳 🇦🇪 🇦🇹 🇧🇷 🇩🇪 🇪🇸 🇳🇱 🇮🇱 🇭🇺 🇸🇬

OSCD was designed as an international initiative and we are very inspired by the growing internationality of the initiative from sprint to sprint. This time there were triple as many specialists — 47 participants from 17 countries.

Results

The results exceeded all our expectations! The participants showed a high level of expertise and productivity. This is despite the increase in the number of projects! It is also worth noting the growth of the backlog size from sprint to sprint, while the indicators of the initiative’s total benefit for the community are steadily growing.

The sprint results were formalized as final Pull Requests in the corresponding projects. All in all, the participants achieved the following results:

Developed 287 Sigma rules in total. 242 added and 305 updated by OSCD participants (Pull Request). 45 rules added by OTR Community (Pull Request);

It is second time we increased Sigma ruleset by more than 30%!

Developed 23 and updated 7 Atomic Red Team tests (Pull Request);
Developed 24 TheHive responders to automate response actions in Palo Alto NGFW, Duo Security, Gmail and Azure Active Directory (Pull Request);
Developed 1 TheHive analyzer for IOC and CVE analysis with Vulners.com (Pull Request).

This is a good example of the results that can be achieved by the community working together to solve common problems. Practical cooperation, which we think we are lacking.

Participants

We express our deep gratitude to the specialists who took part in the last sprint. What is especially pleasant, that many of them participated for the second time. Here is the list of Sprint 2 participants, which is also available on our website:

Thank you all!

BTW, we’ve created a LinkedIn organization, so you can mention your Sprints participation as a volunteer experience:

Want to be involved

Do you also want to make the world a little safer and apply your knowledge for the greater good? OSCD has no entry requirements. The work is done openly and solely for the benefit of the community, not for profit and without any relations to commercial organizations. Follow the news on Twitter or in Telegram, wait for the next sprint announcement, choose a task from the backlog or propose your own, and develop a solution together with the community!

Useful links