Untapped Potential - SANS Blue Team Summit 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

as Seth said we are going to be talking about the sim today specifically but some of the techniques we'll talk about will apply to many many things but the focus of this talk is Justin and I have seen a lot of security operation centers and cyber defense kind of you know initiatives and these are some of the tricks that we've come up with that we think we don't see as often but they're actually very very simple basic things that will help you detect threats way way easier and better and more effectively than what you might be doing if you don't do these things so this is gonna be a rapid-fire kind of a set of cool tricks that we have come up with that we want to share with you all to make sure everyone's at the top of their game it's a real quick intro yep so I'm Justin Henderson I'm the author of SEC 555 sim with tactical analytics co-author 455 sim design implementation with this guy and then I also co-author SEC 530 defensible security architecture and engineering with Ishmael you somewhere in here either way so I've got 61 certifications and when I'm most proud of is I have a hobby farm whoo my name is John Hubbard I'm another instructor and author of the new SEC 450 class the blue team fundamentals course are gonna be teaching later on this week as well as go out there with Justin our twitter handles are there if you have any questions on the stuff we'd love to chat afterwards so I'd note copy of this will be available as well of course we're posting it on the slide or on the site but Justin has a whole bunch of collections of all of the talks we've done throughout the past which also are very closely aligned with this topic if you're interested which is really cool because if there's something like we're not just gonna talk theoretical we're gonna try to give practical examples of what we're talking about and if you want a more elaborate example we have like hours and hours and hours of content going even deeper down and everything we're going to talk about today yep got like three years worth of webcasts a whole archive there from us so really what we're talking about here is this concept of if you're trying to build a strong foundation like you've got the whole building a house on the sand versus the rock yes it just nod your head but they've got much smoother if she's not good yeah what we're trying to do is we walk into organizations we're doing consulting we're teaching we're all over the place different industries these are some of the things we're seeing in the most effective implementations and we chizel II have done the valve thing like we have English words like we speak they have vowels and consonants if you were to remove the vowels like how are you doing would be how doing that it kind of makes sense but oh it loses a lot in translation right so we're gonna talk through AEIOU which are all operationalized by y-you super cheesy I know I'm sorry so automation enrichment identification orchestration you know realization let's just go right into this so we're gonna start with automation and I'm gonna give some practical examples next slide here's one you're trying to do something this is EDR this is log collection this is something you're trying to do on mass I'm gonna do an example with log collection we have log agents let's say I have a Windows Server it's a file server so you drop maybe when log be Splunk Universal forward or win collect if you cure radar maybe you're doing Windows at 40 that's great you now have Windows logs but what happens when Jon you know this guy right here comes up behind me and he installs I is on that box better yet he does with sus cuz what's all right that's awesome we Apache but you know what we don't have I don't have is log and I don't have the application logs for what sus why cuz he did that without change management I'm not aware of it and I didn't tune that log agent to grab those logs whoo so a different approach to this that what I've seen works really effective this is a proof of concept I've done this different ways of different agencies what if you automated your agents and how they were configured not just how they were deployed okay there's a little difference there saying hey Microsoft SCCM group policy push out an agent that's step one step two is dynamically changed that agent so what happens if I had something I call this n X log Auto config because it worked for an X log but this would be very easy to rewrite with any agent that writes to a file registry keys read a sequel Lite database and API if you can hook any of those things you can do what I'm gonna talk about run once a day is the agent stalled yes or no if the answer is no install the agent once the agents installed run through a list of modules I is is is installed today no it's not then don't collect IRS logs John installs is the next night it runs again is is installed well yes it is configure the agent to log it appropriately and ship it off automation via log agent okay that's just a simple example let's keep going with that another thing we like to make the point that the windows logs that you collect are not set in stone as in the ones that are generated right you have audit policy you have all that good stuff but if there's something that windows will not log by built-in features that you'd like to log that would give you value such as maybe auto run items you can make this log and put it into Windows event channels very very easily this slide is an example of what it would take to do that so this is some very basic PowerShell all I'm doing here is calling the new event log command late-- and I'm saying make a new event channel called my auto runs and if my SIM agent is then told to pick up my auto runs well then what you can do is schedule this as a task and say every day run this script and in the third line there it's basically going to on the second line it runs the auto runs CLI version dumps everything that automatically runs that the sysinternals auto runs tool if you're not familiar with it dumps all that information into a CSV the third live brings in the CSV and the fourth line writes it out for every object in that list just put it into a Windows log right and this could be easily automated and now you have all of the automated running items every time you boot up the system put into a Windows log and it looks like this and so now you just go into Windows my auto runs and you tell your SIM agent hey this new thing up and now without EDR without paying for anything without any real magic at all other than four lines of PowerShell and an automated scheduled task we can now pick up auto run items from everything in our environment or anything you want that you can call it PowerShell and we know power so does basically everything right so automate really whatever you need throw it into a Windows log you can pick that stuff up - and as you can see on the bottom here you get a nice CSV with key value pairs kind of thing going on with all of your autoruns items so you can do really really useful stuff like that yep and I want to tell you about one of the coolest tools you don't have to install on windows task scheduler yeah did you know task scheduler when you go to schedule at the very bottom and has that box when a specific event is logged now and we'll walk you through a use case please don't apply this just to one use case think about this for a second let's take what Jon just talked about with writing a new log but find a applicable use case because some of you have things like adding a white listing software you know carbon black McAfee solid-core AppLocker some of them have better logs than others so you get hey I went to run this application it was denied and the log basically says file was denied John tried to run it well when that generates a Windows log you then can kick off a scheduled task that hey app Locker and solid-core just block something that was a log trigger that which now comes a PowerShell script that parish the script does whenever you want so what I've done in some organizations well a parish will kick off on a white listing block event yeah and this could be effectively anything and what it'll do is they'll grab the file throw it maybe into like a fire I a kuku sandbox it'll run virus totals it'll it's whatever you want it to do you file sig check anything now I do the Domino's pizza delivery system you know you place the order and it lets you know the status your pizzas in the oven your pizza's getting put in the box Jon's out for delivery because that's his side job right right love those pizzas so now if something gets blocked I changed the block message because I closed it open it Power Cell right here right and it says hey please wait while we analyze the file for more information if there's enough information to say it's truly bad keep it blocked let them know nope not gonna happen if there's enough information to say it's good allow it just on that one box and then open a ticket so that someone can globally open it okay so things we can do plus write our own logs make it better we should consider automating the mundane but the mundane is often associated with like tickets and things like soar just different platforms will help with habit even like this how many of you have deployed like an IDs sensor before security getting it we had a lot of hands saying yep security onion well if you have thousands of sites why don't you automate the deployment of that since we have secured young in here this week I'll give an example that I had a thousand locations and they constantly add or remove as you acquire or remove locations you could automatically deploy security a key or source fire or insert product here you just got to find the silent unattended method of installing it and usually it's a few simple new virtual machine commands because we often have a capability put it there so I have one site that they have about 1600 sensors nobody ever deploys them they auto deploy and once they're there they even SSH into the local switch and they dynamically adjust the port beers now that sounds really cool and if you're thinking that sounds really difficult the scripts to do all of that are fairly short PowerShell Python get the job done so automation if it's something that adds value even virtual machine deployments that give you asset discovery sensors IDs Zeke do it try to get as much visibility but automate that visibility as your company skills so do your capabilities I'm gonna give you two alerts we were just talking IDs roll this for a second top alert et policy p exe or dl windows pas a second alert same thing the difference is we have different external IPS in the source IP and we have different destination IPS actually I'm sorry this is the same way but think about this for a second the top is a default snort or circa dollar that's the information you get the bottom is the same alert with automatic enrichment techniques could have been done at log ingestion could have been after the fact like in Splunk could have been in a ticketing system like the hive with cortex which of these is easier to say it's good or bad the top one that says somebody downloaded a exe or DLL or the bottom one that says exe or DLL that came from Google literally the organization of Google from Internet Explorer as a process Jay Henderson was the one that did it and the file that was downloaded subsequently he was Chrome set up that exe is this malicious or benign what you think leans towards benign because inner Explorer is being used for the one thing it's good for which is downloading Chrome or Firefox right think about that for a second though the alerts that we often get look like the top one now with just that information malicious suspicious benign I don't know that's enrichment enrichments taking the data you have and using it to add context so that you can come to a more informed decision or even automatic decision that's good so one of those things a very simple example a host name right now how many people in here break up the host names that they have people going to within their organization and can make a dashboard on something like the TLD peace only anyone doing that not a whole lot of hands right so those of you are awesome right why is this useful why would we want to break it up into the TLD the parent domain name the sub domain name because each one of those fields has certain things that you can look for in that field that aren't perfect indicators of evil but highly correlate with evil right if we can look at the TLD we can come up with a pretty good idea of whether something is likely to be bad or at least much more likely compared to some of the other TL DS right we have calm most things are calm we're not gonna get a whole lot out of that but if someone's going to a TK does that up the suspiciousness level yes it does right and so if we parse these things out into TL these parent domains subdomains we can do a bunch of tricks so we're gonna give you a couple examples of that yep so first step is how do you break them out and I find it interesting because a lot of the platforms that we have especially Sims they don't always have up-to-date patterns for domains and there's not just like TLD there's like gTLDs TLD like there's all these variations so to try to help come up with like a pattern for pulling those out this is on the github page it's just a powerful script that creates a static registry file a reg X file I apologize that you can feed into your sim to pull these out it'll grab and download the latest list of gTLDs TLD and all the the country codes and things like that and then combine them together so that you can feed it to yourself from there go ahead you can start to do some simple checks dot TK this is the world according to dns it's basically the more domains registered to the country the bigger it looks like on the map what's TK what country code is TK tow Cleo right I think someone said that is anybody been to Tokyo does anybody know the tokens are they pronounce the tokens if you're from there I apologize if I said that wrong right I have no clue what this is it's a small island the whole country fits on this slide yeah you should do this it just Soto Cleo is a country that they don't even own their own registrar Netherlands deals with it I'm pretty sure it's no zones right so a company in the Netherlands hosts their own and they give out free domains to anybody who has a valid email address so today what you do is you stand up your own email server now you have an email server now you programmatically get a free domain and because if you have a domain you can get a free TLS certificate you also get a free trusted certificate than the world tres this is why our job so hard in the sock so TK is predominantly and like 99 point something percent evil so by pulling these out we can start to use them it easy a detection their subdomains what about those so let's think about some of the ways we might take just the contents of a sub domain and detect something evil one of the big things that you'll run into is phishing of course right and they will do something like google.com dot something dot something dot TK and so if you can take the sub domain field a really dumb trick that would be pretty effective is just put a regular expression for Google anywhere in the sub domain and then subtract out anything that's not actually Google look for the parent domain and if it's not google.com or not one of the Google you know top-level controlled domains or maybe even the ASN which we'll talk about in a moment it's not controlled by Google now you have a pretty good indicator that someone is calling their website Google but it's not Google and you can do this programmatically it's not too hard there's other things for subdomains there's DNS tunneling if you see very long very random or very rapidly changing subdomains that is a really good indicator of DNS tunneling how many people here have actually seen DNS tunneling either as a tool or in an incident or something like that so this is one of those things that everyone needs to look up and know what it looks like it is a deadly technique but if you know what it looks like it's super easy to catch right and so subdomains are the key to catching it you say if there's one parent domain like evil thing com and there's hundreds of thousands of subdomains that's because those hundreds of thousands of subdomains are actually your data leaving the building in form of DNS right and you can look for this stuff it's pretty easy you just aggregate based on parent domain and then you look for which parent domain has the highest number of subdomains and if you look at that I guarantee you will find DNS tunneling and there's a bunch of other tricks like that too right that's just one of many so great technique just from parsing out host names and some of the challenges taking what you know and making it work for example look at this slide for a second check out this client site before our call you hover over client site and you see that link malicious suspicious benign what you think at least highly suspicious but okay why what could be a DG a domain generate algorithm looks randomly generated right which is where you're probably coming up with a VGA that's great I applaud you I think pretty much everybody will look at this slide but I get that's a problem how do you get your tools to do that thinking about that like what I'm in a sim how do what my sim find that well you can't just say I spent X millions of dollars so it should just do it it's just not really how our tools work I can find that now how do I get my sim to find it and we'll go into the next one so here's one way you can do that there's an open source tool called freak server we actually already started talking about this yesterday Eric Conrad was talking about mark Baggett who's a superhero bald man with a cape he didn't have a cape but you get the point he wrote freak and I subsequently broke it because it doesn't work when you handle like a million events per second can't run it a million times with a Python script I can tell you for a fact I have this in multiple client environments with multiple sims as freak server which is a Python API basically a rest style ish look up with memory caching and it can help you find things like randomly generated strings which you will see over and over and over how about this we have DGA talking domains what happens if I do PowerShell Empire or meterpreter by default to a Windows box what does it do whenever you do like PS exec logins creates a new service that service has a randomly generated name delete that randomly generated what happens if you do a workstation login the workstations machine has a randomly generated name you'll see randomization over and over and over because it's the form of obfuscation and stealth we can turn that into a weakness so the way this works z played Scrabble I say the I've got a word and it starts with Q what's the next letter killing me you statistically if we're taking the English dictionary and we spread characters out I have Q the next letter is most likely going to be a you whoever said the other ones you're all fired okay it's natural language processing frequence turret servers doing this you just stand it up you run as many instances as you want and you have a frequency table super easy to build you just give it a text file here's the English dictionary generate a table boom done use it you're in global organization you have different character sets maybe you're doing file names because you have millions of files which ones are the most sketchy well here's what mine normally look like now score against that using this built table it's frequency analysis so and then we just keep going with this enrichment you just keep thinking of problems you're trying to solve what I'm doing analysis one of the things I struggle with is the needle in the haystack concept a lot of good data and I've a lot of bad data and there are some techniques that don't help you find evil they help you find good and the difference is you can decide where you want to look one of those is just basic tags is this in the Alexa top 1 million the Royal majestic 1 million the Cisco and billion dot 1 million frequently accessed sites now let's be clear there's some sketchiness some HR violations and all sorts of things we don't want to go to in these but they tend not to be like malware sites you can have malware in these sites but it is less likely but if I tag my data and I say anything that's to the Alexa top 1 million and anything that's bad on the Left versus on the right I'm saying I have an alert I'm investigating that alert well Magic eight Ball says mmm it's probably on the right side of the screen what that's simply saying is hey when you start your investigation filter out all the sites that are tend to be more normal like the alexa top of million start your investigate on the right cuz that might be less than 10% of your data it's still a haystack but it's a lot less data to look for you don't find what you're thinking is there then you look at the big pot of data I also will use this to figure out how far down the enrichment tree you want to go I'm gonna do a SNS and we do freak server and do all these things I might say if it's in the top 1 million I need to do these things if it's not the top 1 million I want to do all of these things I'll be more aggressive this is an example of going more aggressive this is more time consuming it's computationally I don't say it's computationally expensive it's computationally more expensive when you bring in data into a sim or EDR or things like that it tends to be like milliseconds on how quickly that comes in if I start to do things like this this is saying I have an IDs alert on the top just like we started with a couple slides ago use that to pull in more information well if I have a source IP DES type e source port desperate that's a network socket I can tie that back to all sorts of things sis manav nid 3 the IPS i can go into my prior dns logs and figure out what did actually resolve to that IP and I can start to pull in all these additional information but it's slowing the pipeline down but I can throw hardware and software at this where there's not enough of us so now all of a sudden I go from the top - it came from deal down to google.com and explore J Henderson this is how you do that you basically tell your sim or whatever tool you're doing to auto lookup given the information that's in the log you just got ok dynamic DNS this is another one so this is both a parent and sub domain level thing but we know that bot masters love to change subdomains because one thing gets blocked they need a new thing so dynamic DNS sites are one of the ways they go about that well if you are pulling these things apart of course it's very easy to break these things into pieces and say if it's hop 2 or zap 2 or Dyne DNS net or any of those things that's a really easy indicator that's almost cheating most business services are not going to rely on dynamic I would say none of them should but you never know what vendors are going to do so that's an easy one right this is a chart from a blog that was looking at malicious traffic based on where it was going to and as you can see that some of the top things zap 2d DNS net no IP org all that stuff is up there right and so we can block those by parent domain we can block them even by name server in some cases this is a great way to pick up evil and it's super easy you just need a list of those services and to implement them in a blacklist in the sim another one what also correlates with evil ASN sometimes it depends how many people here are taking the IPS that they are connecting to and resolving them into ASNs in their sin again not many right I got one two three hands so this is easy right let's say someone downloads chrome setup.exe most of the time that's probably going to come from Google LLC and if you see an alert that says someone download an executable like we saw before and it came from Google LLC well you're pretty sure it's probably gonna be okay but if you do the pre-work and say hmm I know some asns are bad right I'm gonna go look those up what you will find is the top 10 botnet ASNs from spam house or multiple other lists the top one in this is number 31 gen wrong Street don't know what that is but if you download chrome set up from that ASN much higher chance that something evil has gone on right and if you have that information in your data because of enrichment then it'll be very easy to make the call that that's something malicious and so very simple enrichment but very useful yeah so now we're gonna move on to identifying what you actually need to look for good so the problem here is you're told detect all the bad what are you looking for because I don't know about you but I've been in this field a long time and I still don't know a lot fact the longer I'm in this industry the Dumber I feel that could be just me getting older I don't know but I keep learning too so this this weird feeling what do you do this is a example of trying to detect all sorts of things I've got one attack scenario things like coming in over command and control establishing persistence we have the USB drop with step one credential theft and we use backdoor logs being cleared and to be honest there's so many variations of even these same steps that this is showing all the different ways we could detect that Plus variations and the trick here is we technically only actually have to catch the atmosphere using one really good two technique because if I see it and I investigate it before they steal my data and leave or destroy or whatever they're doing we win as defenders yeah but what are the good detects what do we look for what about when things change well go ahead we've got things like miter miter is the closest thing to a framework that I like because it can't actually be actionable it goes in and says this is the attack here are ways you could detect it it's not always super specific but we have projects like Sigma and stuff that will try to do that next time this is the miter technique I'm not going to go through this you guys have seen this but you click on them they tell you what the attacker is doing no one attack methodologies hey here's an example how to detect it UAC bypass here are things you might look for except for to do a UAC bypass there's like multiple ways to do it some of which are really not even documented how do you catch that okay next so here are some examples that will give you actual Detex we have NSA spotting Yahveh Cerie that's a PDF primarily windows-based it is chock-full of these are the data sources you should collect here's why and here's the specific detection techniques you should use if you're collecting application system on security and windows do better just put it that way because there's PowerShell there's PowerShell again because there's more than one partial channel there's multiple channels and windows you need to be collecting from not just application system security that will go through many of them the Sigma project was mentioned yesterday generic signatures what's more it is this is this is like that the cool thing though is it's chock-full of just like Windows is like last I checked three hundred and some-odd rules they're tagged by miter technique they're actionable v-tex I put them in place in multiple clients I expect of the 300 and some usually it's less than five or doing false positives and it's not the same five every time some organizations have different requirements that's just windows there's Linux and multiple other rules in there try the Sigma project and then there's Sauk Prime this is kind of a spinoff from Sigma it's this marketplace for sim rules their Sigma there's commercial rule sets just like there is for snort okay just throwing it out there I'm not saying go buy that but there's also a bunch of free things in there as well the other way to learn how to identify what to look for is the fun way this is where you say I have no freaking clue what I'm doing ok but what I'm gonna do is this new attack came out I don't even know how it works but someone wrote a blog on how to do the POC and I can copy and paste commands like no one's business right so you have a lab and I highly recommend this you have a lab at home I have a domain controller I have all sorts of Windows servers Linux servers I have containers and then I'll find these new attacks and I may or may not understand exactly how they work but I know how to do it because someone blogged it and I run the attack and then I just look at the data before after what's different and that's a lot of fun whenever I am studying like if you ever taking a pen test course put like security onion or something underneath at the same time you're now doubling your learning effort as you're learning how to attack and you're learning how to defend simultaneously okay that's the fun way of doing this orchestration a big word for the sock right and for good reason there's a lot of things that we should not be doing as humans because we can make scripts do them and so of course this has come on huge but the whole sore market for good reason right so because of that I put this magic sprinkle throwing guy in here right sore is the thing that's going to help us not do the work we don't want to do and also respond much faster to the things that we are doing on a day to day basis I don't have a giant list of source specific things here but what I do want to point out is where it can help we have the sim sending alerts to incident management we have incident management systems intra transacting data with our threat intelligence platforms we take those incidents we run them through playbooks all of this stuff can be helped by soar anytime you have two tools that are not integrating in the way that you want sors potentially the fix for that right all you need to do is take the data and understand what format you need it in what format you want it in and redirect it whatever it's coming from from the sorter to the store and then have it manipulate it and then take the actions you need right so some of the things you may do with this enumeration and enrichment of course right are e letters for this we can do a lot with soar if you say hey soar tool I need you to look this up on virustotal and hybrid analysis and all of our other thread and tell sources and everything else right that's an easy way to do enrichment and orchestration helps us effectively bring that into the soup into the sim and in the sock in a very efficient way incident response as well you want to automatically block something right we can have soar tools go connect out to what we could have playbooks that you can hit go on and it would go connect to the potentially infected asset look at the process that it thinks is a virus insert a single firewall rule that just blocks connectivity for that one process so that you weren't taking that person completely offline just that one particular thing that was going on well you make a slower determination and then become sure or decide it's a false positive so we can do blocking actions we can push stuff to network firewalls of course alert in case management all this stuff goes together really really well before castration yeah and another example where I love to test like we have technologies now like Miss the malware information sharing platform which is not just about sharing like IO sees you can share like alerts with it like especially for me I like to share Sigma rules because now I can have a client that's Splunk I have a client that's logarithm client let's curator and I can just say here's your rules and with Sigma now the rules work between all of them because you sigmak convert them well there's a problem I generate a rule I give it to John it worked fine for me totally messes up his environment or it false-positives like crazy causes performance issues like there's a lot of bad things that can happen if we start to share sharings caring but bad things can happen so instead what you can do is you can implement a process like this we share our rules miss github copy/paste I don't care however you share your rules and you drop them in a folder you convert them this is because Sigma is generic rules that work across multiple products powershell grep you name it and then you automate the testing of the rule no this is as fancy as you want to make it here's what i simply do usually if I run the rule and it does not find anything and it's fast meaning the performance was snappy it's good to move in pre-production because ideally you're not compromised and if it's not gonna take a performance it I'm gonna say it's a good rule we don't have that attack in our system if I run the alert and it doesn't find anything but it's super slow I move it into a folder for manual review because it could be a poorly written rule you test the rule slow or fast but it finds something well I don't care that needs manually reviewed before moving in production because either I'm owned or have false positives and so you know these are simple automation / orchestration process enhancements even for things like rule assessments so what do we do then with the sim there's a lot of times that your sim may make it somewhat painful to take in data in the way that you want right now ideally all of our Sims understand all the data formats make it very easy to parse it all but trust me I that's funny John all the time tell me that they have stuff in disarray right your sim isn't parsing things correctly because it doesn't understand the format guess what you're not detecting anything in that data because it doesn't understand what it's looking at so your store can step in here it can do the enrichment it can do format conversions really it can do anything for you right it's a script that sits in between something that's sending data from one place to another so don't be shy to put it there so what you need to do to make it work same thing on the other side the sim is collecting the data and then it's saying hey is there anything bad in here and then when it is finding something bad if you have a separate incident management system or triage system then it's taking that formatting it in another way and sending it on the way and at that point you may also want to do more enrichment so the sword can be put in between both of these interactions and make your data better at each stage when it's recording events going from wherever the sources into the sim and then from the sim when it's been qualified as an alert and something you need to actually look at can make it even better as it goes into the incident management system and pull and maybe additional information from your threat Intel platform firewalls Active Directory context on the user or the asset right all of that stuff can be automatically grabbed and included in those alerts which is awesome our last vowel is universalize this one is probably the most exciting to me because I think it's taking the blue team in the most interesting places right so start off with Justin on this one utilization is trying to make our stuff work across products you notice John and I are not up here saying you need to buy this you need to do this because realistically you don't want to have such locking you want to be able to be dynamic and shift the problem is if you've ever went from like a product to another like antivirus to another antivirus whoo that's painful sim to sim sim to same sim yeah those are actually problems you upgrade something everything breaks in the sim space one of the most painful things is fieldnames windows logs y'all have windows I'm pretty sure in the EVT X file it's the same fields but magically when that gets to my sim versus your sim it's not the same and so now all of a sudden my rules and all these things start to break down you're doing Don's talk you're doing powershell ir well you better have the field names right so now if you're trying to do all the things i'm doing in my sim but now you're dropping it to an ir powershell level it doesn't work the field names don't match this universe nation is this concept of how can I try to standard even basic things like fieldnames his source IP source underscore IP source IP camel case lower case upper case every case some organizations have like three sets of field names for every field it's a bad idea but politics right so we have to figure out how to solve this as has been mentioned and I won't dive too much into it since we already are somewhat familiar we have the Sigma project right and so this is one of the things I'm super excited about and how the blue team is standardizing it is as the quote says two logs what's more is to network traffic in Yarra is the files we have had ways to write a signature for peak apps right easy snort does it we have files we want to pick stuff up in Yarra covers it we haven't had this for log files and we haven't had it in a way that's generic we can't easily say hey I wrote this at my company here you use it right Sigma solves that problem it is a generic language for analytics now again a quick short hands how many people are using Sigma in any kind of production capacity right now so not many right this is one of those things that I really really think the blue team needs and will benefit greatly from if we can help pick it up that's why I was so excited about the playbook talk yesterday it's going to help pick up adoption of Sigma and all the standardization right the dream in my eyes here is anyone in this room writes a analytic they can share it with everyone in the room and we all just can convert it and use it in our own tools regardless of whether we have Splunk or elastic or cue radar or anything you don't need a symbol or no sim at all right if you have Windows Defender 80 P using PowerShell using grep because what Sigma does is one of us writes a Sigma signature and it works for all of us because this is the process it goes through you write a Sigma rule you run it through one of the converters for one of the specific products so whatever product you have and you want to search for in and then you have a separate configuration file by the way that first step is already written for you then the second step you just say here's what my company called these field names in our version of spunk for example it spits out the query automatically for you and so regardless of what you've called your fields regardless of what product you have Sigma lets one of us write a rule that everyone can use and when that's a world we're living in now as soon as a new attack detection is discovered everyone has it and the adversary has to come up with a brand new way of attacking right now we're getting into where they're TTP's right and if we can all imagine the pyramid of pain which I did not put in this presentation it's the top thing right it's the best way to write an analytic here's the actual output for Sigma conversions three different ones here if you can read this I know it's a little bit small it's trying to crime a lot of text on here Sigma see you say target Splunk Q radar or elasticsearch either one you give them the config file and then in the green there it's the actual rule I'm trying to convert in this case it was Windows passed the hash and it spits out the exact analytic you need to implement in your product there is one thing going in three different rules for three different organizations with three different configurations coming out that is what we want and the even cooler thing about this is now it's being picked up as a data type in things like Mis as a threat intelligence platform how many people here use Mis not enough all right so another threat intelligence platform it's free it's awesome you can say here is an event that occurred here's all the IFC's associated with it but now you can also say here is a Sigma rule that detects it and with mis it's all meant for sharing and so you have you and your partner organizations all sharing the data that you're willing to share of course and then one of you writes a Sigma rule it can be pushed out and shared with the rest of the community automatically and then they can say oh we just got a new rule from organization B over here and now we can just hit a button convert it throw it right into the sim right that is going to make when an attacker uses a new tool at one organization must be able to block it everywhere in the world very quickly as long as we're willing to share these Sigma signatures and so it's this kind of standardization I think is going to be incredibly powerful and one of the key things I think blue team needs going forward really really excited about that stuff here's how it works right we have miss running in every different organization all of them are kind of subscribed to each other's things and when you as your own organization put something and you say I'm willing to share this or I'm not and so then the reports can come out with Sigma rules you can subscribe to sources of Sigma rules and all of this stuff becomes much much easier and so it becomes way more difficult for attackers to get a foothold in this an environment so with that we have brought you through all of the vowels automation enrichment identification orchestration and universalized these are the key things that we think you should be doing with your sim and of course all of the other tools available to you in the sock as you can see there are some very basic tricks you can implement here if you're pulling apart your data and then using that to say alright do any of these parts correlate with something that is likely evil can we take it can we make the data better give us more context and all of this stuff of course enabled by our final vowel Y which is you right as long as you do this work you can do a lot of awesome things bring a lot of awesome context and make a lot of detections that you might be leaving on the table right now even though you have the data so with that any questions nothing at all I haven't had enough coffee yet alright thank you very much yeah [Applause]

Info

Channel: SANS Institute

Views: 919

Rating: 5 out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training

Id: 6zMHgP9uknk

Channel Id: undefined

Length: 43min 11sec (2591 seconds)

Published: Fri Jun 26 2020