Image for post
Image for post
Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

OSCD: Threat Detection Sprint #1

Open Security Collaborative Development (OSCD) is an open international cybersecurity specialist initiative aiming to solve common problems, share knowledge, and improve general security posture.

It was created fall 2019 by friendly open source security projects. The collaborative development is organized as two weeks-long sprints.
The First Sprint focused on the Threat Detection area and Sigma Project ruleset specifically.

Why Sigma

Sigma Project is Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules, which converter uses for queries generation.

With time, Sigma Project ruleset has become the biggest and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (like BlueKeep exploits), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK.

Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It’s a good time to do so if you haven’t yet.

There are some gaps and issues in it, at the same time, there is plenty of decent analytics published (i.e. researches on Hunting for Windows Privilege Escalation / Lateral Movement / Credentials Dumping tools and techniques) that haven’t been added to Sigma Project repository. This is the thing we’ve decided to focus on during The First Sprint.

How it was

About 50 individuals committed themselves to work together on the sprint.

The plan was simple:

  1. Two weeks-long sprint starts October 21, 2019

A few days after the start, 24 of October, we’ve conducted a workshop at the hack.lu conference, presented the OSCD, explained what we were doing and why. Although most of the participants were joining remotely, it was quite fruitful time, as we were able to sit next to each other and discuss the rules.

Next day we’ve reported the first results on EU MITRE ATT&CK workshop in Luxembourg:

Image for post
Image for post

And we’ve achieved the expected results, even though by the end of the sprint the number of participants dropped to 30.

Results

During the two-weeks long sprint we have:

  • added 144 new Sigma Rules

This way, we’ve increased the ruleset of Sigma Project by more than 40%.
The listing of contributed rules is available in the description of the Pull Request in the Sigma project repository.

Backlog

Even though we achieved a lot during the first sprint, there are many things that we were not able to manage in two weeks. We decided to detail the backlog and put it into the Sigma Repo issues for the community to pick up:

We believe that community collaboration to solve the listed (and others, but the same kind) tasks is the most realistic and fast solution to the problem of the “Offensive Security Tools release”, that is under heavy discussion for the last weeks.

We are aiming to have Detection Rules covering TTP level by The Pyramid of Pain, this way we would be able to detect adversary behaviors, regardless of the tool. ‘Offensive Security Tools’ are our best friends in this area.

Acknowledgment

The First OSCD sprint wouldn’t happen without Alexandre Dulaunoy and the team of hack.lu conference organizers. They have provided a timeslot at the conference for the OSCD workshop; visa, accommodation, and informational support. We are very grateful for that.

Last but not least, it wouldn’t happen without the participants who have done all the hard work:

Thank you all. See you next sprint!

Merry Christmas and Happy New Year!

OSCD

Open Security Collaborative Development

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store