Search

Use this static Page to test the Theme's handling of the Blog Posts Index page. If the site is set to display a static Page on the Front Page, and this Page is set to display the Blog Posts Index, then this text should not appear.
MISP_addon_misp-objects-1200x479.png
Active Cyber DefenseADSBlackhatDetectionMISP

(ENG) The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

4.1.2023

 

The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

All this year we have talked a lot and often about two things. The first is Cyber Threat Intelligence (CTI) and then our main topic, Active Cyber Defense (ACD). Overall, our longstanding dedication to this topic culminated in a presentation by our members at the BlackHat Europe 2022 conference.

Everything that was said there (and there was very little of it) was basically about two open-source platforms – MISP and VECTR.

In our testing of CTI’s capabilities, we encountered several obstacles that did not allow us to continue our activities in a way that would remain transparent and, above all, ensure the sustainability of our data and its preservation. Overall, managing structured data related to CTI is a big challenge for us.

It is for this reason that we have created 3 new objects for the MISP platform to address this issue.

These new objects have been released in MISP 2.4.167 – release notes.

 

MISP addons by DCG420:

#1 ADS+ object

Most native CTI platforms do not address the flip side of CTI, i.e. how to detect shared IoCs or behaviors. Although it is logical that just the detection part and the binding to it must be part of one platform.
The ADS or Alerting and Detection Strategy was published by PALANTIR in 2017. We have added two more categories to the original ten, namely:
  1. The detection rule (SIGMA, Generic rule)
  2. Active Cyber Defence (ACD) elements use for Blind spots
Read more about our custom ADS framework here.
What it looks like in MISP:

#2 PersNOna object

When creating fake profiles, we often run into the problem of managing them. There is also the problem of managing their connections and activities. Here we have taken inspiration from the Fake PersNOna template by MITRE, which exists only as a pdf template, which is totally inadequate for managing more than one identity.

Therefore, we have created a fake persona definition that can be used both for known fake adversary profiles and as a fake profile manager, for example to monitor social media or profiles required to register on various services.

What it looks like in MISP:

#3 Groups object

This object is inspired by ThaiCERT’s Threat Group Cards project. The Object itself allows to create an adversary profile according to a template. Thus, CTI does not depend only on defined threat groups, for example according to MITRE ATT&CK.

What it looks like in MISP:

Sources:

https://www.blackhat.com/eu-22/briefings/schedule/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence–active-defense-to-protecting-critical-information-infrastructures-29400

https://dcg420.org/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use/

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://github.com/MISP/misp-objects

https://www.misp-project.org/2022/12/26/MISP.2.4.167.released.html/

https://attack.mitre.org/

https://itk.mitre.org/toolkit-tools/personas/

https://apt.etda.or.th/cgi-bin/aptgroups.cgi

 

 

1FnPDYeZVrGTbuE7Lj7JhgQ-1200x798.png
Active Cyber DefenseADGZADSDetectionRiskRules

(ENG) Custom methodology for DEM and ADS with ACD elements use

1.1.2023

 

Custom detection engineering framework

The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.

 

The problem of insufficient documentation:

– Good documentation provides good insight into the detection setup and defines the criteria for false positives.

– Poor, vague documentation or a poorly documented framework results in overwhelming the monitoring mechanisms with alerts.

 

Detection engineering methodology (DEM)

The Detection engineering methodology (DEM) provides a simple guide on how to approach the development of an effective detection system. The individual steps can then be easily mapped with the Alerting and Detection Strategy (ADS).

Steps:
  1. Select Target Technique
    1. AND/OR subtechnique per MITRE ATT&CK
  2. Research Underlying Technology
    1. Get initial info from ATT&CK – TTP description, links, other resources
    2. Choke points
    3. Process deyails, operators
  3. Proof of Concept Malware Sample(s)
    1. Get sample, tools or script etc.
    2. Run PoC simulation
  4. Identify Data Sources
    1. Consult MITRE website for data sources
    2. Create data model
  5. Build the Detection
    1. Final detection data model
    2. Identify event ID
    3. Specify target process
    4. Pivoting to investigation

 

Alerting and Detection Strategy (ADS)

The Alerting and Detection Strategy (ADS) concept was published by PALANTIR in 2017 and the original can be found here.

Based on Palantir, the ADS framework “helps us frame hypothesis generation, testing, and management of new ADS”.

 

The former ADS framework by Palantir contains the following sections:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources

 

Custom ADS Framework with added parts by DCG420:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources
  11. The detection rule (SIGMA, Generic rule)
  12. ACD elements use for Blind spots

 

For better documentation we added parts for:
  1. The detection rule (SIGMA rules, Generic rules) – to maximize the portability of the rules, we chose the SIGMA universal format, which provides a simple conversion to the SIEM language found in the defender environment.
  2. ACD elements use for Blind spots – ACD elements correspond to Engage ID according to MITRE Engage.
The practical application of this custom methodology will be discussed in future articles.
Sources:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

 

 

1FnPDYeZVrGTbuE7Lj7JhgQ-1200x798.png
Active Cyber DefenseADGZADSDetectionRiskRules

(CZE) Custom methodology for DEM and ADS with ACD elements use

1.1.2023

 

Custom detection engineering framework

Cílem našeho custom framework (metodologie) je usnadit správu dokumentace a kritických požadavků pro efektivní funkci detekce (detection engineering).

 

Problém nedostatečné dokumentace:

  • Dobrá dokumentace poskytuje kvalitní vhled do nastavení detekce a definuje kritéria pro false positives.
  • Špatná, vágní dokumentace nebo nekvalitně dokumentovaný framework má za následek zahlcení monitorovacích mechanizmů alerty.

 

Detection engineering methodology (DEM)

Detection engineering methodology (DEM) poskytuje jednoduchý návod, jak přistoupit k vytvoření efektivního systému detekce. Jednotlivé kroky lze pak jednoduše namapovat s
Alerting and Detection Strategy (ADS).
Kroky (v ENG):
  1. Select Target Technique
    1. AND/OR subtechnique per MITRE ATT&CK
  2. Research Underlying Technology
    1. Get initial info from ATT&CK – TTP description, links, other resources
    2. Choke points
    3. Process deyails, operators
  3. Proof of Concept Malware Sample(s)
    1. Get sample, tools or script etc.
    2. Run PoC simulation
  4. Identify Data Sources
    1. Consult MITRE website for data sources
    2. Create data model
  5. Build the Detection
    1. Final detection data model
    2. Identify event ID
    3. Specify target process
    4. Pivoting to investigation

 

Alerting and Detection Strategy (ADS)

Koncept Alerting and Detection Strategy (ADS) byl zveřejněn společností Palantir v roce 2017 a jeho originál je možné nalézt zde.

Na základě Palantir rámec ADS „nám pomáhá vytvářet hypotézy, testovat a spravovat nové ADS“.

 

Původní rámec ADS od Palantir obsahuje následující části (v ENG):
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources

 

Custom ADS Framework s přidanými částmi od DCG420:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources
  11. The detection rule (SIGMA, Generic rule)
  12. ACD elements use for Blind spots

 

Pro lepší dokumentaci ADS jsme přidali části pro:
  1. The detection rule (SIGMA rules, Generic rules) – pro co největší přenositelnost pravidel jsme zvolili SIGMA universal format, který je poskytuje jednoduchou konverzi do jazyka pro SIEM, který se nachází v prostředí obránce.
  2. ACD elements use for Blind spots – ACD elementy odpovídají Engage ID dle MITRE Engage.

 

Praktickému využití této custom metodologie se budeme věnovat v dalších článcích.

 

Zdroje:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

 

 

vectr-logo-bl-2-1200x409.png
ADGZAdversary emulationHow toPurple teamingToolsVECTR

(ENG) How to setup VECTR for Purple teaming (Adversary emulation)

3.6.2022

It is very important to document all the related activities in order to monitor and evaluate the Red team and Blue team campaigns within Purple teaming, and especially to evaluate the readiness of the processes, people and tools themselves. SRA‚s VECTR tool serves exactly this purpose. However, as you will see later, it is not only a passive tool recording the progress of your teams, but it is also a gradually developing automated test framework (although it is still in its infancy).

vectr-logo-bl-2-1200x409.png
ADGZAdversary emulationHow toPurple teamingToolsVECTR

Jak nastavit VECTR pro Purple teaming (Adversary emulation)

28.5.2022

Pro sledování kampaní Red team a Blue team v rámci Purple teaming, jejich hodnocení, a především pak pro hodnocení připravenosti samotných procesů, lidí a nástrojů je velmi důležité veškeré související činnosti dokumentovat. Právě k tomuto účelu slouží nástroj VECTR od společnosti SRA. Nicméně jak poznáte později nejde pouze jenom o pasivní tool zaznamenávající postup vašich týmů, ale jde také o postupně rozvíjející se automatizovaný test framework (ač je zatím v plenkách).

circular-halftone-texture_1409-1268-1200x600.jpg
ADGZENGUpdate

(ENG) Active Defense Gray Zone v2.0 by DCG420

29.4.2022

This is the English version of our older article in Czech.

We introduced you the definition of Active Cyber Defense (AD) and the AD Gray Zone (ADGZ) here: ENG, CZE.

——————————————

Over time, in our practice and research, we have come to further modify the ADGZ in order to divide it and deploy it practically in the organization.

Update:

  • A new ADGZ structure has been created, separating categories that can be performed by private entities (green) and those that can only be performed by mandated entities (orange).
  • A new category Adversary Takedowns has been created, which includes subcategories Botnet, Domain and Infrastructure Takedowns.
  • A new Adversary Emulation category has been created that contains categories related to adversary behavior emulation and testing.
  • A new Deterrence subcategory structure has been created.
  • A new category Threat Intelligence has been created.
  • A new structure for the subcategory Counter-Intelligence has been created.
C81D9860-C113-4D32-B372-5635E27DF6C8-1200x1200.jpeg
ADGZENGIntro

(ENG) Active Defense Gray Zone – Intro

29.4.2022

This is the English version of our older article in Czech.

——————————

This article should answer your questions about what Active Cyber Defence (ACD) and Active Cyber Defence Gray Zone (ADGZ) are and how they can be used.

circular-halftone-texture_1409-1268-1200x600.jpg
ADGZUpdate

Active Defense Gray Zone v2.0 by DCG420

19.3.2022

Definici aktivní kybernetické obrany (AD) a Šedé zóny AD (ADGZ) jsme vás seznámili zde.

V průběhu času a v rámci naší praxe a výzkumu jsme došli k další úpravě ADGZ a to za účelem jejího rozdělení a praktického nasazení v organizaci.

Změny:

  • Vytvořena nová struktura ADGZ, kdy jsou od sebe oddělovány kategorie, které mohou vykonávat soukromé subjekty (zelená barva) a které mohou být vykonávány pouze pověřenými subjekty (oranžová barva).
  • Vytvořena nová kategorie Adversary Takedowns, která obsahuje podkategorie Botnet, Domain a Infrastructure Takedowns.
  • Vytvořena nová kategorie Adversary Emulation (přeskupení), která obsahuje kategorie vztahující se k emulaci chování a testování protivníka.
  • Vytvořena nová struktura podkategorií Deterrence.
  • Vytvořena nová kategorie Threat Intelligence (přeskupení).
  • Vytvořena nová struktura podkategorie Counter-Intelligence.
32454F87-F703-40CD-800E-6F57ECC169BD-1200x800.jpeg
Adversary emulationIntro

Adversary Emulation – Intro

12.3.2022

Co vlastně je Adversary emulation neboli emulace chování protivníka? Je to proces, který využívá techniky, taktiky a procedury (TTPs) protivníka obohacené o Cyber Threat Inteligence (CTI) k tomu, aby byl vytvořen bezpečnostní test, který je založen na reálných útocích nebo kampaních.

cs_CZCzech
en_GBEnglish cs_CZCzech