Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

OSCD: Threat Detection Sprint #1

Open Security Collaborative Development (OSCD) is an open international cybersecurity specialist initiative aiming to solve common problems, share knowledge, and improve general security posture.

It was created fall 2019 by friendly open source security projects. The collaborative development is organized as two weeks-long sprints.
The First Sprint focused on the Threat Detection area and Sigma Project ruleset specifically.

Why Sigma

Sigma Project is Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules, which converter uses for queries generation.

With time, Sigma Project ruleset has become the biggest and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (like BlueKeep exploits), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK.

Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It’s a good time to do so if you haven’t yet.

There are some gaps and issues in it, at the same time, there is plenty of decent analytics published (i.e. researches on Hunting for Windows Privilege Escalation / Lateral Movement / Credentials Dumping tools and techniques) that haven’t been added to Sigma Project repository. This is the thing we’ve decided to focus on during The First Sprint.

How it was

About 50 individuals committed themselves to work together on the sprint.

The plan was simple:

  1. Two weeks-long sprint starts October 21, 2019
  2. Participants pick up tasks from the backlog or contribute other analytics
  3. Participants use the guideline to get familiar with the workflow
  4. Results reviewed and pushed to Sigma repository on GitHub

A few days after the start, 24 of October, we’ve conducted a workshop at the hack.lu conference, presented the OSCD, explained what we were doing and why. Although most of the participants were joining remotely, it was quite fruitful time, as we were able to sit next to each other and discuss the rules.

Next day we’ve reported the first results on EU MITRE ATT&CK workshop in Luxembourg:

And we’ve achieved the expected results, even though by the end of the sprint the number of participants dropped to 30.

Results

During the two-weeks long sprint we have:

  • added 144 new Sigma Rules
  • improved 19 existing Rules
  • deprecated two existing Rules

This way, we’ve increased the ruleset of Sigma Project by more than 40%.
The listing of contributed rules is available in the description of the Pull Request in the Sigma project repository.

Backlog

Even though we achieved a lot during the first sprint, there are many things that we were not able to manage in two weeks. We decided to detail the backlog and put it into the Sigma Repo issues for the community to pick up:

We believe that community collaboration to solve the listed (and others, but the same kind) tasks is the most realistic and fast solution to the problem of the “Offensive Security Tools release”, that is under heavy discussion for the last weeks.

We are aiming to have Detection Rules covering TTP level by The Pyramid of Pain, this way we would be able to detect adversary behaviors, regardless of the tool. ‘Offensive Security Tools’ are our best friends in this area.

Acknowledgment

The First OSCD sprint wouldn’t happen without Alexandre Dulaunoy and the team of hack.lu conference organizers. They have provided a timeslot at the conference for the OSCD workshop; visa, accommodation, and informational support. We are very grateful for that.

Last but not least, it wouldn’t happen without the participants who have done all the hard work:

Thank you all. See you next sprint!

OSCD

Open Security Collaborative Development

Daniil Yugoslavskiy

Written by

Head of Threat Detection at @cindicator. Founder of @atc_project. OSCP, CCNP Security, GCFA, GNFA.

OSCD

OSCD

Open Security Collaborative Development

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade