Warning: Undefined array key 0 in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Attempt to read property "ID" on null in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Undefined array key 0 in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Attempt to read property "ID" on null in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048
(ENG) Custom methodology for DEM and ADS with ACD elements use – DCG420
   

Search

Active Cyber DefenseADGZADSDetectionRiskRules

(ENG) Custom methodology for DEM and ADS with ACD elements use

1.1.2023
1FnPDYeZVrGTbuE7Lj7JhgQ-1200x798.png

 

Custom detection engineering framework

The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.

 

The problem of insufficient documentation:

– Good documentation provides good insight into the detection setup and defines the criteria for false positives.

– Poor, vague documentation or a poorly documented framework results in overwhelming the monitoring mechanisms with alerts.

 

Detection engineering methodology (DEM)

The Detection engineering methodology (DEM) provides a simple guide on how to approach the development of an effective detection system. The individual steps can then be easily mapped with the Alerting and Detection Strategy (ADS).

Steps:
  1. Select Target Technique
    1. AND/OR subtechnique per MITRE ATT&CK
  2. Research Underlying Technology
    1. Get initial info from ATT&CK – TTP description, links, other resources
    2. Choke points
    3. Process deyails, operators
  3. Proof of Concept Malware Sample(s)
    1. Get sample, tools or script etc.
    2. Run PoC simulation
  4. Identify Data Sources
    1. Consult MITRE website for data sources
    2. Create data model
  5. Build the Detection
    1. Final detection data model
    2. Identify event ID
    3. Specify target process
    4. Pivoting to investigation

 

Alerting and Detection Strategy (ADS)

The Alerting and Detection Strategy (ADS) concept was published by PALANTIR in 2017 and the original can be found here.

Based on Palantir, the ADS framework “helps us frame hypothesis generation, testing, and management of new ADS”.

 

The former ADS framework by Palantir contains the following sections:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources

 

Custom ADS Framework with added parts by DCG420:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources
  11. The detection rule (SIGMA, Generic rule)
  12. ACD elements use for Blind spots

 

For better documentation we added parts for:
  1. The detection rule (SIGMA rules, Generic rules) – to maximize the portability of the rules, we chose the SIGMA universal format, which provides a simple conversion to the SIEM language found in the defender environment.
  2. ACD elements use for Blind spots – ACD elements correspond to Engage ID according to MITRE Engage.
The practical application of this custom methodology will be discussed in future articles.
Sources:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

 

 

previous(CZE) Custom methodology for DEM and ADS with ACD elements use

next(ENG) The other side (not the dark side) of CTI - our contribution to MISP 2.4.167

en_GBEnglish
cs_CZCzech en_GBEnglish