How to Level Up Your SOC Analyst Skill with Power Tool: Sigma

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video i'm going to show you sigma this is a new open source tool set that is being used everywhere in security operations centers uh to basically translate quickly indicators of compromise into a you know into a query that works with whatever tool set you're using in your sock this is going to be awesome if you're already working in a sock and if you're going to a job interview for a sock and you tell them that you are familiar with sigma or even better because we're going to be walking through exactly how to use it that you know how to use it i guarantee you it's going to be a key differentiator for you as a candidate coming up [Music] hey everybody welcome to simply cyber the youtube channel designed to help you make and take a cyber security career further faster i'm your host gerald dozier and on this channel we are talking cyber security labs techniques industry career certifications if any of that is interesting to you considering check out the other videos on the channel or maybe hit and subscribe we post content every single monday so in this episode we are talking about sigma now i've heard people talking about this whenever i encounter another colleague who i haven't seen in a while we're bullshitting and sharing uh notes about work and what's new and stuff like that like there's a 50 50 shot they're going to mention sigma or i'm going to mention sigma to them so it's really got this kind of like ground swell now what is sigma sigma is this open source tool it's basically an executable but what it ends up allowing you to do is very easily share um kind of indicators of compromise or signatures uh that you can look for in your environment for malicious behavior and activity very quickly with the community so it's basically like a rosetta stone for security operation centers so what i've done in today's video is i have uh engaged john hoyt who is a good friend of mine in an excellent excellent um uh blue teamer okay he's a manager of a security operation center he's been doing it for years very very knowledgeable very very good he's also got a youtube channel which i'll link in the show notes below uh he just started it a few months ago i i encourage you to go check it out if you like what john's saying now john has been using sigma uh so he he actually decided to come on the show and show us how he's using it in his environment and actually how to um you know basically run it for particular use cases so we're going to take a look at that today but what i want you to really take away for that job interview and be able to speak about sigma is that basically you can have a signature um for like the solarwinds thing that's going on right now right you can have a signature defined and it uses basically a like uh kind of a common format if you will right so you define that you post it up to uh the github which florian roth by the way thank you florian roth who's the author of this tool um you have this bank of signatures right so you might not even have to write one i bet you there's one for solarwinds there right now i'm gonna go back after the video's done video editing and uh put a a a pop-up right here probably of that but that aside if there's already one there no matter if you're using gray log or splunk or you know whatever sim uh you're using right you can pull that signature down push it through sigma and tell sigma what sim you're using and it will generate a query that is um language specific to your sim so what you do is instead of like wasting time this is a time saver app that's what this is right you you can quickly copy paste whatever the custom query is drop it in your sim save it as a defined query or set it as an alertable um uh query right and have it running in your environment so very very quickly you can go from um notification that there is this uh threat out there and a signature for it to looking for it in your environment or being able to detect it in your environment right so this is very powerful and this is the reason why there's such a ground swell on it because it's awesome right time being able to see everything and have extra time or not waste time on signatures and then troubleshoot it and stuff like that that's where the value is so let's drop it jump into the video with john again check out his channel it's very very good and uh let's learn sigma all right john thanks so much for being with us today i i can't wait to talk to you about sigma but before we get into it can you kind of uh let the audience know uh who you are and kind of a little bit about your background yeah so i'm john hoyt i'm a deputy director of information security at clemson university i've been with clemson since 2007 involved with information security since then started out as like an engineer doing intrusion detection and moved up through the through the ranks i guess you'd say um been involved with cyber security around since probably 2005. you know we're we're talking sigma today this is kind of coming on the scene uh fast and furious and making it uh like a legit tool for uh blue team and sock analysts everywhere so can you kind of uh talk to us a little bit about you know what is sigma and like why is it so so hot and powerful right now yeah and and props to tom from uh usc who who let me know about it uh and and really what sigma is is it's taking all the log files that you have that you're getting all in this big repository of a sim um or wherever you're putting those and using um sigma to create the signatures kind of like snort you would use snort for signatures for network detection you're using sigma to do detection against the log files so it's a and it's also a way to share those with multiple people so instead of just creating a a specific signature for splunk that you say all right i'm going to look for these look in these logs in splunk well you can create it in a sigma format that you can then share with anybody you can share with somebody that's using an elk stack you can share it with somebody using whatever and it's that generic format that takes it and converts it to whatever they're using you know you can basically convert it from the generic signature to anything that they're going to use as well yeah so super powerful in that it allows um you know collaboration and real fast uh adaptation for really any environment so is it is it uh indicators and rules for you know kind of endpoint logs is it network logs is it any kind of log what's the scope of it it's pretty much any kind of log um and across different platforms you know there's network logs there's linux logs rules for linux logs rules for network logs rules for windows logs it's all over and there's really no um no restriction on the type of logs it can look at you can look at sysmon logs it can look at audit d logs it can look at application logs which is really good that's probably one of his biggest strengths you know as you have all these app logs that are just there you know you can have a sigma rule that matches for things in applications as well interesting so is there uh i have to imagine since it's so interoperable is there a repository or some type of shared collective that people are contributing to um for these rules or or how is the how is the community uh making this available in a way that's you know digestible and shareable yeah what i've seen is you know sigma itself is an open source repo so it's out there on github and people are contributing rules and new rules it is similar to snort like where anybody can create a snort rule right you can create a snort rule and then share with everybody it's the same idea where i could create a sigma rule and share it with either maybe specific people that are that are kind of in my context for us it might be higher ed and i might say hey you know folks here in my higher ed circle here's a rule that's pertinent to you you might want to use it as well or you can just upload it to to you know add to the repo that's out there for for sigma on github so it's pretty open everything's open about it which is great that's cool so how how long does it take to you know write a rule and share a rule i mean it like i created it probably took me an hour to go through but this is the first rule i've ever created i've not actually created the rule but it took me an hour probably just to go through look at a template compare the template change that template to match what we're going to look for and so that's something i'll show you too is how you can do that and just take an example and modify it so and it was pretty easy really you know just the formatting and the wording and the the template itself is pretty basic it's not super complicated it's not programming it's just formatting which is great yeah so if you get like a template you can start with that and kind of modify it for your needs okay cool so let me ask you if you're if you're someone a lot of a lot of my audience are people who are interested in learning more or their junior level analysts and they want to you know show up to work and be able to talk to the sock manager about hey i learned about sigma and stuff like that you know is it is it approachable is it accessible for someone who's trying to learn about sigma you know who doesn't have a corporate environment to um you know implement in you know i guess can you kind of talk about like maybe what the accessibility path would be someone who wanted to learn more about this and kind of add it to their skill set yeah definitely so um what i would recommend is just to you know download the repo um and you'll need something that you can typically either a linux machine or something you can run terminal commands with right because it runs i think on python 3 in the back end so you need python but it's not you're not doing python coding that's the good thing about it you know the wiki itself is is pretty helpful in walking you through how to run it to run it against the rules the rules are all there when you download it you'll see them so what i would recommend is just going in there um running the commands you see in the wiki you know playing with it trying to convert a rule to different formats you know and they give you good examples and for my example we use we use splunk and uh and splunk you can play with splunk free online you can actually sign up for a seven day free trial i would recommend that you or else that you know pick one of those and just play with them and get used to them um my familiarity is with splunk but definitely spin that up you know it's pretty easy you just sign up with your email and i'm sure they're gonna try to sell you something but you can just sign up with your email um and then convert a rule you know just pick any rule convert it and then copy that and paste it into splunk and and i'll show you i'll walk through that and i'll show you how to do it but once you've copied that in the splunk you know just try you know tweaking it seeing what happens when you search the data the one the splunk instance that they gave me it has data in there it's not blank um there's z data there's some windows event data and stuff like that so pick some rules that are similar to that and then just just test it you know just test just like everything in security which is great you know there's sandboxes for pretty much everything yeah so this is another way to have a sandbox you just you just run it and try creating different rules and then once you've converted a bunch of rules and tested them and you've got them working then do like i did take one of those templates and work on converting that template to a new type of rule it doesn't have to be anything fancy it can be really straightforward you know start with something basic that you understand so if windows is your strength and you're like okay i understand windows and i understand what you know remote desktop is an rdp and there's rules in there for those kind of things and you're like okay if something tries to do rdp on my box i would only allow it from these ip addresses or something like that right something basic yeah take one of those simple rules that you kind of already understand what it's trying to do and then tweak it and make it do something else maybe look for smb or maybe look for whatever just something that makes sense to you are there any down sides to it or pitfalls that you encountered that you know someone doesn't have to live through themselves because you can share that now yeah i mean i think the biggest thing that i've learned about it is just testing your rules testing them and testing them and testing them and what i mean by that is not just run it and see if you get results back but really the best thing to do is to try to have some kind of mimicked activity that will validate that the rule actually works right so if you generate you sigma to generate your signature that you dump into your sim and you run it you're like okay no errors we're good to go well but how do you know when something bad happens or that that activity actually happens how do you know it's actually going to trigger and alert and alert you and let you know so what i'd recommend is run it make sure there's no no there's no errors but also if you can you know you use something like um red canary the atomic red team to try to generate the activity that will actually trigger that alert and then test the alert and make sure that it did fire when you thought it was going to fire and that that's just you know i think that's a great methodology anyways it's just trying to test your tools all the time and make sure that they do trigger um because what you'll find is as you dump that signature it's not it's not going to know everybody's environment when you dump it in there it's going to be pretty broad and you're going to have to add a little context to that and it might be a specific log location to go look for this data or things like that so you got to tweak it it's not going to be 100 out of the box ready to rock but it's going to get you you know 80 90 percent there and then you have to just tweak it a little bit can we jump into uh sigma and actually take a look at it yeah let's do it okay so this is the the repo for sigma okay so this is where folks need to go to get to get it get it going yep get it going you know clone this locally so download it locally so you have all the up-to-date rules i would recommend cloning it because then you can update your repo when they add new rules easily right which is which is where the most most of the updates you'll find will come from and getting started so this section it is pretty pretty right spot on um you know you download it you'll see the rules subdirectory let me just kind of show you the repo the rules repo just so you can kind of see that's really the that's where the the money is right yeah that's where the secret sauce is but let me pick one just to kind of maybe show some of these so linux ones they're all over the place some of them are specific apt related ones you know where they have indicators for apt activity one thing cool about them is they all reference pretty much all reference some minor tag like minor attack technique they'll reference that in the in the actual um of the file itself so like audit d if you're running on d um you know this is an example of of a specific um your detection for audit the altering batch profile so somebody alters their batch profile let me pick one that i was looking at earlier and i think we talked about rdpe and this is this is a pretty basic example but you know it's looking for um you know the zeke and the rdp log so the rdp log is is you know where zeke looks for and it sees any rdp activity on your network it writes that to a log file called rdp.log and this one specifically is you know it's looking for connections from routable ips potentially something that is publicly accessible so obviously you know you don't want rdp open to the internet because it will get pounded and blasted yeah and so if you if zeke is monitoring the network you know passively and it sees activity that's rdp but you would want to know about it if it's um not something that's internal and so that's what this this group here does but you can see how it's not it's not super complicated i mean it's really well written as well just um parsed out you know you can kind of see yeah the format is very easy to digest um i'll jump into kind of the the examples but before i do that what we were talking about earlier is you know the red team countermeasure so this is what fire i released you know this this week last week yeah a couple days ago yeah um and these are all the indicators that they release that have the mb5s for their tools and you know if you're looking for these what you might look for you know the hashes for these specific tools and there's a lot of data out here right and like you just said like how do we how do you take all that and use it in your tool like you all this data how do you use this in your tool and you're just in your sim right there's a lot of information yeah um so you know i thought about that and actually was thinking like okay how could we use it and it may not be the best use case but it is a use case where going back to zeke there's a files log and the files log it basically you know will hash and identify basically pull the hash the md5 and the shot one hash for any files it can potentially parse in protocol so it could be smb it could be http could be something like that so if it sees a file across the network you know it's just monitoring the network and it can grab the file and hash it it will write that to its log its files log and say hey we saw this file we saw this hash we saw it going from this source to this destination it's on the wire you know if you saw any of these on the wire you'd probably want to know about it you probably want to know why did somebody go download this is some reason this was passed across the network um to my endpoints right now encryption is always you know you know a factor so you'd have to worry whether or not it was encrypted and the traffic was encrypted you know you wouldn't be able to inspect it if you had some decryption which a lot of people do now with a decrypted at some point um then you'd still be able to monitor these files being passed back to the endpoint visual coder visual code it's what he actually the florian recommends um using this this tool to just that's what he uses to write the the rules themselves and so um this is the rule we just looked at a little bit ago right and you know you can see it's basically in the zeke folder zeke rdp public listener yaml it's a yaml file um so i i took this one and said this was similar close enough to a rule where i would want to go through and look for specific things right the the not but not instead of the not selection but an actual selection but like the same idea of look through the logs for this or this or this or this or this right now with the um these md5s from fire there's like over 600 so that could be a that's probably not the best approach because every time your search runs for these against the files log you know it's going to be searching a lot of data at one time so you may want to break it break it up and there may be different ways to do it now if you have ways to get hashes off the end points it's not across the network that's probably the best way to do it right if you can get that hashed files when it lands on it on a box and have that log somewhere that'd be easier or be better be more um less false positives potentially more more useful in your resources but it's a potential way you can do it you know it's not going to hurt to do it that way you just got to be cognizant of the the many hashes that you're going to be looking looking through so i took this and i i started um creating this alert here my first rule with the with the sigma so it's not pretty but you know like i said i was just something to learn and something to play with it um to get used to it um you know and they they walk you through you know giving the title giving it the status you know experimental giving it a name um and then you mentioned to the references you go out and look at these and find out more about what these hashes mean right which is awesome tags are a little a little tricky because the tags i know are tied to the miter framework but if you look over here at these examples i i don't know i couldn't find a good reference point and i'm sure it's out there but in the time i had i didn't find like what which one would i want to use for these right because there's a lot of different ones for these tools but anyways i just kind of made it broad here author date um and then you get into the log the log source itself so you know we're using zeke we're going to use the files log basically what where are the logs going to be if you look at this one you know this was zeke and rdp right so the rdp log um and then what your selection so basically what is what are you going to query for what are you going to what in the files log are you going to search for right um just like we looked at with the rdp so the field itself is md5 that's the field that that you look in the files log you'll see md5 equals blob whatever that is right and then you give it you know all the data you're going to be searching for and i didn't give it everything because it was big already i just gave it a big chunk of it um and one thing too if you do have a lot just to know you know you can see it's formatting here these dashes are necessary you know this is the way it's set up you can see here they're here as well i didn't try it without dashes but i think it looks like they're necessary so i had to put those in there as well um and then everything in single quotes and then your condition so there's if you look at this example here this said not selection um so everything was going to be not and then a big group of these is an or statement and i'll show you that but mine you know i wanted to do a selection i wanted to do where it actually equals where md5 equals this or this or this or this so i just modified that and in their documentation they tell you you can do starts with ends with select you know all these different modifiers you can do on the data that are pretty straightforward nothing crazy you know either it contains you can do um wild cards before and after those kind of things awesome yeah super powerful yeah so fields is basically um because you know it's you can see here what basically what you're going to write out to look through and this one was source and destination ip um for me ones that maybe make more sense where the md5 field itself and the transfer host and the receipt knows like who rece who sent it who received it yep if there any false positives for this one i couldn't think of anything that would be obvious because it is an md5 if you see that md5 it shouldn't be you know it should be you know a legit md5 hash so i didn't think of anything that would be fun if you see it it's probably the actual file why it's being sent is another question right but um but i just haven't kept that as none and then uh level high this could be critical you know it could be whatever is up interpretation you want to put there you can change it and and documentation tells you you know whatever you want to set that to you're you're setting that now that doesn't get posted out in your signature that you're going to create but it's just that reference point you know if i'm if i'm a soccer analyst and i'm looking at this how important is this if this happens right as a reference so yeah looks good i'm in the i'm in the sigma tools directory and um you'll see there's a the sigma the sigma c i call it sigma i don't know what it's actually called but but florian gets to decide right yeah yeah and then you know just noting that you know that i'm in that tools directory but you'll need to run it against the different rules that you're going to run so um in this case we're going to run it against let me bring up my cheat sheet so i can remember because it is kind of long and this is the config type that you're going to use and i'll show you the other kind for like an elk version so rules network zeke and then i'll do um the rdp one just kind of show you what that looks like first public listener so this is the ammo file and you hit enter just doing this magic okay so here's here's your your um you know your search string and the not the not statement yeah so all you see how and i'll i'll put this in splunk here in a second um but the not statement you know this or this or this you know and then you know everything that it had in his ip list you know what it's going to go or through and then it ends up because it's splunk with a you know pipe to this table command source ip and desktop so it just says just show me the source ips and the desktop fields so if you get any hits with this signature it's going to say well here was a source here is a disk right um and like we talked about with the rdp it was like if you see anything that's not these then i want to know about it right yeah super super easy um you know converter basically it's perfect i think the real power is the adoption from the community so many signatures so there here is mine and it's going to be big because it's a lot of hashes yeah but i'll i'll put it in the splunk and make it look a little better but basically you know i don't have the not statement like we had up here because i want to search equals yeah that theirs also was um starts with i think or contains i can't remember but you see how it's got a wild card it added that wild card on every one of these which is very very powerful without you having to go do that that's very nice um if you had contains you know i have an equals because it should be equal but you know it will do the wild card before and after that this saves you so much headache um and you know so it dumps it us off this all in parentheses and then it does the same thing the fields that i entered that i want to see after it's done you know dump these here so pretty pretty basic as far as converting these into a legit splunk query or elk query and let me kind of show you what that would look like in splunk yeah i mean it saves you a ton of time it saves you uh from typos and it gives you access to a huge it's like almost like a force multiplier by not having staff have to develop these uh rules um it's it's really really impressive definitely so this is i hope you can see this okay let me try to get a little bigger a little bigger is good all right so this is that that one rule um that we were looking at now i had to change this one for this uh this splunk and since this is the free instance you can get from splunk you can go out there and sign up for it well you know this is where it's important here right this is what this is what sigma gave me if you recognize that the not the ips and the ors right and the tables well i had to change this part here not the index so much but the source what the source was and what the the port was because they didn't have for whatever reason they didn't have um rdp logs in maybe they didn't have any rdp activity that's probably why but they didn't have that in the splunk instance okay so i couldn't run it against that rdp.log instance so but that's okay well they did have rdp so i don't know why that file didn't run but um i just ran it against if you know zeke you know there's a con log and connections back and forth it's just like you're you know who talked to who how long kind of a thing right what connections happen so this is where the tweaking of the the signature comes in you know you need to be able to say well what would i want to search against with this signature and i'm saying i want to search against the con log where any responding port the rspp is 33.89 right standard microsoft remote desktop yep so if i see anything in the con log that is you know from these then i want to know about it now i don't know if there was a wild card looks like some of these wild cards there wasn't anything that was like just wild card 172 or something yeah when i saw the signature file it looked like it was basically mapping the entire uh non-routable rfc 1918 yeah yeah and this is the data in here you know it's not the best data but it is something to play with and to test it right well it shows you the complete picture right from signature to you know running it into sim yep and you know playing with it you can you can dump data in this so it's free first like seven days or something if you have data that you want to test with you can actually dump it in here and play with it in here um so if you don't have the data you need you could upload it now you know it's splunk you know so you have to format it make sure it gets formatted okay and all that mess but just say you can do that and play with it and do the searching against data that you know is legit right and your environment you would do this if you weren't you know if you weren't just doing this in a lab you would be doing this in your splunk or your elk stack as well awesome yeah this is great john thank you uh so much for really walking us through the practical application of sigma as well as understanding kind of its importance and its value so let me just show you real quick what this looks like for the signature for mine it's big oh wow yeah so that's why this probably not the best way to run this signature um it's probably i mean it will it it should run and legitimately if it sees that hash across the wire and something that it could interpret um it would be bad and you'd want to know about it so it is a legit signature is it the best and most efficient way to do it probably not just because you can see i'm not even doing you know half of them right this is just a subset of that big list of hashes could be other ways to do it but just as an example so you know you run this now i'm running this you can run it for whatever time frame you're going to run it for but the way you can you're really just testing the rule did i get an error did the splunk search work like it's supposed to yeah right um because if it didn't then you know you'd get hey what is the formatting here what i've found so far is i've had no issues with the splunk syntax it's been great um it's more about here i would add and in this splunk instance it doesn't have the files log again for some reason but i would personally add you know where am i going to look for this you don't look against index everything because that's everything you would want to be as drilled down as possible and say look in the files log for this data right sure uh you know if people wanted to um you know engage with you i know you've started a youtube channel to share your knowledge uh how would you suggest people uh reach out and engage with you yeah um so the youtube youtube channel i started you know it's it's a it's something that's been fun and it's basically it's um a way to share practical security tips and tactics i call it security tactics so if you go look security tactics and john hoyt you should find it um but it's just a way to go out and give practical information to folks so you can find me on there you can also find me on twitter it's at keg p-w-d-r-k-e-g that's an old old name that i've had forever but um but you can find me on there so we've been talking with john hoyt john thank you so much for basically pulling back the curtain on sigma today for us thank you so much john for showing us sigma you know both kind of the theory behind it and how to actually utilize it in practice i know if you're working in a sock you definitely can take advantage of this immediately and i'm telling you it's a differentiator if you can bring this up in a job interview so that does it for this week but it's time for our one cool thing this week's one cool thing is library.tv now this is a kind of streaming uh platform it's it's akin to youtube it's supposed to be a youtube competitor but here's a couple differences with it one it's built on blockchain and i'm not just using that as a buzzword it's built on blockchain and it's completely uncensored so some of you may know that my channel got a community strike for dangerous material for teaching people how to build a phishing attack platform now granted i can see how that would be seen as malicious so it's fine but the point is all of my content has also stream to library tv and it's not censored right so you can you can um see you know different content on there and it's a cool platform and they do something with like their own uh currency like blockchain currency i i don't fully understand that you can use it to like tip people or to i don't know it's a currency all onto the platform itself but hackersploit who's right here um he's got all his content on there as well um and it's just a cool little platform that's trying to compete against youtube which is obviously a juggernaut so that's my one cool thing this week worth checking out okay so that does it thank you so much for being here and until next time stay secure [Music] you

Info

Channel: Gerald Auger - Simply Cyber

Views: 3,895

Rating: 4.9775281 out of 5

Keywords: cybersecurity, career, cyber security, career growth, cyber for beginners, blue team, career development, cyber job, cybersecurity jobs, entry level cybersecurity, entry level, no degree, cyber careers, simplycyber, simply cyber, cyber security for beginners, get into cyber security, soc analyst, sigma, soc analyst training, cybersecurity for beginners, cybersecurity careers, careers in cybersecurity, soc analyst career, soc analyst basics, soc analyst interview questions

Id: jIpujayFX1E

Channel Id: undefined

Length: 35min 37sec (2137 seconds)

Published: Mon Dec 21 2020