Search

Use this static Page to test the Theme's handling of the Blog Posts Index page. If the site is set to display a static Page on the Front Page, and this Page is set to display the Blog Posts Index, then this text should not appear.
MISP_addon_misp-objects-1200x479.png
Active Cyber DefenseADSBlackhatDetectionMISP

(ENG) The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

4.1.2023

 

The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

All this year we have talked a lot and often about two things. The first is Cyber Threat Intelligence (CTI) and then our main topic, Active Cyber Defense (ACD). Overall, our longstanding dedication to this topic culminated in a presentation by our members at the BlackHat Europe 2022 conference.

Everything that was said there (and there was very little of it) was basically about two open-source platforms – MISP and VECTR.

In our testing of CTI’s capabilities, we encountered several obstacles that did not allow us to continue our activities in a way that would remain transparent and, above all, ensure the sustainability of our data and its preservation. Overall, managing structured data related to CTI is a big challenge for us.

It is for this reason that we have created 3 new objects for the MISP platform to address this issue.

These new objects have been released in MISP 2.4.167 – release notes.

 

MISP addons by DCG420:

#1 ADS+ object

Most native CTI platforms do not address the flip side of CTI, i.e. how to detect shared IoCs or behaviors. Although it is logical that just the detection part and the binding to it must be part of one platform.
The ADS or Alerting and Detection Strategy was published by PALANTIR in 2017. We have added two more categories to the original ten, namely:
  1. The detection rule (SIGMA, Generic rule)
  2. Active Cyber Defence (ACD) elements use for Blind spots
Read more about our custom ADS framework here.
What it looks like in MISP:

#2 PersNOna object

When creating fake profiles, we often run into the problem of managing them. There is also the problem of managing their connections and activities. Here we have taken inspiration from the Fake PersNOna template by MITRE, which exists only as a pdf template, which is totally inadequate for managing more than one identity.

Therefore, we have created a fake persona definition that can be used both for known fake adversary profiles and as a fake profile manager, for example to monitor social media or profiles required to register on various services.

What it looks like in MISP:

#3 Groups object

This object is inspired by ThaiCERT’s Threat Group Cards project. The Object itself allows to create an adversary profile according to a template. Thus, CTI does not depend only on defined threat groups, for example according to MITRE ATT&CK.

What it looks like in MISP:

Sources:

https://www.blackhat.com/eu-22/briefings/schedule/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence–active-defense-to-protecting-critical-information-infrastructures-29400

https://dcg420.org/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use/

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://github.com/MISP/misp-objects

https://www.misp-project.org/2022/12/26/MISP.2.4.167.released.html/

https://attack.mitre.org/

https://itk.mitre.org/toolkit-tools/personas/

https://apt.etda.or.th/cgi-bin/aptgroups.cgi

 

 

1FnPDYeZVrGTbuE7Lj7JhgQ-1200x798.png
Active Cyber DefenseADGZADSDetectionRiskRules

(ENG) Custom methodology for DEM and ADS with ACD elements use

1.1.2023

 

Custom detection engineering framework

The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.

 

The problem of insufficient documentation:

– Good documentation provides good insight into the detection setup and defines the criteria for false positives.

– Poor, vague documentation or a poorly documented framework results in overwhelming the monitoring mechanisms with alerts.

 

Detection engineering methodology (DEM)

The Detection engineering methodology (DEM) provides a simple guide on how to approach the development of an effective detection system. The individual steps can then be easily mapped with the Alerting and Detection Strategy (ADS).

Steps:
  1. Select Target Technique
    1. AND/OR subtechnique per MITRE ATT&CK
  2. Research Underlying Technology
    1. Get initial info from ATT&CK – TTP description, links, other resources
    2. Choke points
    3. Process deyails, operators
  3. Proof of Concept Malware Sample(s)
    1. Get sample, tools or script etc.
    2. Run PoC simulation
  4. Identify Data Sources
    1. Consult MITRE website for data sources
    2. Create data model
  5. Build the Detection
    1. Final detection data model
    2. Identify event ID
    3. Specify target process
    4. Pivoting to investigation

 

Alerting and Detection Strategy (ADS)

The Alerting and Detection Strategy (ADS) concept was published by PALANTIR in 2017 and the original can be found here.

Based on Palantir, the ADS framework “helps us frame hypothesis generation, testing, and management of new ADS”.

 

The former ADS framework by Palantir contains the following sections:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources

 

Custom ADS Framework with added parts by DCG420:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources
  11. The detection rule (SIGMA, Generic rule)
  12. ACD elements use for Blind spots

 

For better documentation we added parts for:
  1. The detection rule (SIGMA rules, Generic rules) – to maximize the portability of the rules, we chose the SIGMA universal format, which provides a simple conversion to the SIEM language found in the defender environment.
  2. ACD elements use for Blind spots – ACD elements correspond to Engage ID according to MITRE Engage.
The practical application of this custom methodology will be discussed in future articles.
Sources:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

 

 

1FnPDYeZVrGTbuE7Lj7JhgQ-1200x798.png
Active Cyber DefenseADGZADSDetectionRiskRules

(CZE) Custom methodology for DEM and ADS with ACD elements use

1.1.2023

 

Custom detection engineering framework

Cílem našeho custom framework (metodologie) je usnadit správu dokumentace a kritických požadavků pro efektivní funkci detekce (detection engineering).

 

Problém nedostatečné dokumentace:

  • Dobrá dokumentace poskytuje kvalitní vhled do nastavení detekce a definuje kritéria pro false positives.
  • Špatná, vágní dokumentace nebo nekvalitně dokumentovaný framework má za následek zahlcení monitorovacích mechanizmů alerty.

 

Detection engineering methodology (DEM)

Detection engineering methodology (DEM) poskytuje jednoduchý návod, jak přistoupit k vytvoření efektivního systému detekce. Jednotlivé kroky lze pak jednoduše namapovat s
Alerting and Detection Strategy (ADS).
Kroky (v ENG):
  1. Select Target Technique
    1. AND/OR subtechnique per MITRE ATT&CK
  2. Research Underlying Technology
    1. Get initial info from ATT&CK – TTP description, links, other resources
    2. Choke points
    3. Process deyails, operators
  3. Proof of Concept Malware Sample(s)
    1. Get sample, tools or script etc.
    2. Run PoC simulation
  4. Identify Data Sources
    1. Consult MITRE website for data sources
    2. Create data model
  5. Build the Detection
    1. Final detection data model
    2. Identify event ID
    3. Specify target process
    4. Pivoting to investigation

 

Alerting and Detection Strategy (ADS)

Koncept Alerting and Detection Strategy (ADS) byl zveřejněn společností Palantir v roce 2017 a jeho originál je možné nalézt Read more..

Na základě Palantir rámec ADS „nám pomáhá vytvářet hypotézy, testovat a spravovat nové ADS“.

 

Původní rámec ADS od Palantir obsahuje následující části (v ENG):
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources

 

Custom ADS Framework s přidanými částmi od DCG420:
  1. Goal
  2. Categorization
  3. Strategy Abstract
  4. Technical Context
  5. Blind Spots and Assumptions
  6. False Positives
  7. Validation
  8. Priority
  9. Response
  10. Additional Resources
  11. The detection rule (SIGMA, Generic rule)
  12. ACD elements use for Blind spots

 

Pro lepší dokumentaci ADS jsme přidali části pro:
  1. The detection rule (SIGMA rules, Generic rules) – pro co největší přenositelnost pravidel jsme zvolili SIGMA universal format, který je poskytuje jednoduchou konverzi do jazyka pro SIEM, který se nachází v prostředí obránce.
  2. ACD elements use for Blind spots – ACD elementy odpovídají Engage ID dle MITRE Engage.

 

Praktickému využití této custom metodologie se budeme věnovat v dalších článcích.

 

Zdroje:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

 

 

en_GBEnglish
cs_CZCzech en_GBEnglish