Open Security Collaborative Development (OSCD) is an open international cybersecurity specialist initiative aiming to solve common problems, share knowledge, and improve general security posture.
It was created fall 2019 by friendly open source security projects. The collaborative development is organized as two weeks-long sprints.
The First Sprint focused on the Threat Detection area and Sigma Project ruleset specifically.
Sigma Project is Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules, which converter uses for queries generation.
With time, Sigma Project ruleset has become the biggest and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (like BlueKeep exploits), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK.
Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It’s a good time to do so if you haven’t yet.
There are some gaps and issues in it, at the same time, there is plenty of decent analytics published (i.e. researches on Hunting for Windows Privilege Escalation / Lateral Movement / Credentials Dumping tools and techniques) that haven’t been added to Sigma Project repository. This is the thing we’ve decided to focus on during The First Sprint.
How it was
About 50 individuals committed themselves to work together on the sprint.
The plan was simple:
- Two weeks-long sprint starts October 21, 2019
- Participants pick up tasks from the backlog or contribute other analytics
- Participants use the guideline to get familiar with the workflow
- Results reviewed and pushed to Sigma repository on GitHub
A few days after the start, 24 of October, we’ve conducted a workshop at the hack.lu conference, presented the OSCD, explained what we were doing and why. Although most of the participants were joining remotely, it was quite fruitful time, as we were able to sit next to each other and discuss the rules.
Next day we’ve reported the first results on EU MITRE ATT&CK workshop in Luxembourg:
And we’ve achieved the expected results, even though by the end of the sprint the number of participants dropped to 30.
During the two-weeks long sprint we have:
- added 144 new Sigma Rules
- improved 19 existing Rules
- deprecated two existing Rules
This way, we’ve increased the ruleset of Sigma Project by more than 40%.
The listing of contributed rules is available in the description of the Pull Request in the Sigma project repository.
Even though we achieved a lot during the first sprint, there are many things that we were not able to manage in two weeks. We decided to detail the backlog and put it into the Sigma Repo issues for the community to pick up:
- Develop Sigma rules for Privilege Escalation in Windows Environment
- Develop Sigma rules for PowerShell Abuse
- Develop Sigma rules for Lateral Movement in Windows Infrastructure
- Develop Sigma rules for Invoke-DOSfuscation
- Develop Sigma rules for Invoke-Obfuscation
- Develop Sigma rules for Living Off The Land Binaries and Scripts
- Develop Sigma rules for Atomic Red Team tests
We believe that community collaboration to solve the listed (and others, but the same kind) tasks is the most realistic and fast solution to the problem of the “Offensive Security Tools release”, that is under heavy discussion for the last weeks.
We are aiming to have Detection Rules covering TTP level by The Pyramid of Pain, this way we would be able to detect adversary behaviors, regardless of the tool. ‘Offensive Security Tools’ are our best friends in this area.
The First OSCD sprint wouldn’t happen without Alexandre Dulaunoy and the team of hack.lu conference organizers. They have provided a timeslot at the conference for the OSCD workshop; visa, accommodation, and informational support. We are very grateful for that.
Last but not least, it wouldn’t happen without the participants who have done all the hard work:
- Thomas Patzke, @blubbfiction (Sigma Project) 🇩🇪
- Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC) 🇷🇺
- Daniel Bohannon, @danielhbohannon (FireEye) 🇺🇸
- Alexey Potapov (PT ESC) 🇷🇺
- Kirill Kiryanov (PT ESC) 🇷🇺
- Egor Podmokov (PT ESC) 🇷🇺
- Anton Kutepov (PT ESC) 🇷🇺
- Alexey Lednyov (PT ESC) 🇷🇺
- Anton Tyurin (PT ESC) 🇷🇺
- Jan Hasenbusch (BSI) 🇩🇪
- Eva Maria Anhaus (BSI) 🇩🇪
- Diego Perez, @darkquassar (Independent Researcher) 🇦🇷
- Mikhail Larin (Jet CSIRT) 🇷🇺
- Alexander Akhremchik (Jet CSIRT) 🇷🇺
- Dmitriy Lifanov (Jet CSIRT) 🇷🇺
- Alexey Balandin, @Kriks87 (Jet CSIRT) 🇷🇺
- Roman Rezvukhin (CERT-GIB) 🇷🇺
- Alina Stepchenkova (CERT-GIB) 🇷🇺
- Timur Zinniatullin (Angara technologies group) 🇷🇺
- Gleb Sukhodolskiy (Angara technologies group) 🇷🇺
- Victor Sergeev, @stvetro (Help AG) 🇦🇪
- Ilyas Ochkov, @CatSchrodinger (Independent Researcher) 🇷🇺
- James Pemberton, @4A616D6573 (Hydro Tasmania) 🇦🇺
- Denis Beyu (GKU TO CITTO) 🇷🇺
- Mateusz Wydra, @sn0w0tter (Relativity) 🇵🇱
- Jakob Weinzettl, @mrblacyk (Tieto SOC) 🇵🇱
- Tom Kern (NIL SOC) 🇸🇮
- Sergey Soldatov, @SVSoldatov (Kaspersky MDR) 🇷🇺
- Ian Davis (Tieto SOC) 🇨🇿
Thank you all. See you next sprint!