{"id":7103,"date":"2023-01-01T19:30:58","date_gmt":"2023-01-01T18:30:58","guid":{"rendered":"https:\/\/dcg420.org\/?p=7103"},"modified":"2023-01-01T19:30:58","modified_gmt":"2023-01-01T18:30:58","slug":"eng-custom-methodology-for-dem-and-ads-with-acd-elements-use","status":"publish","type":"post","link":"https:\/\/dcg420.org\/en\/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use\/","title":{"rendered":"(ENG) Custom methodology for DEM and ADS with ACD elements use"},"content":{"rendered":"

 <\/p>\n

Custom detection engineering framework<\/strong><\/h4>\n

The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.<\/p>\n

 <\/p>\n

The problem of insufficient documentation:<\/strong><\/p>\n

– Good documentation provides good insight into the detection setup and defines the criteria for false positives.<\/p>\n

– Poor, vague documentation or a poorly documented framework results in overwhelming the monitoring mechanisms with alerts.<\/p>\n

 <\/p>\n

Detection engineering methodology (DEM)<\/strong><\/h4>\n

The Detection engineering methodology (DEM) provides a simple guide on how to approach the development of an effective detection system. The individual steps can then be easily mapped with the Alerting and Detection Strategy (ADS).<\/p>\n

Steps:<\/strong><\/h5>\n
    \n
  1. Select Target Technique<\/strong>\n
      \n
    1. AND\/OR subtechnique per MITRE ATT&CK<\/strong><\/a><\/li>\n<\/ol>\n<\/li>\n
    2. Research Underlying Technology<\/strong>\n
        \n
      1. Get initial info from ATT&CK \u2013 TTP description, links, other resources<\/li>\n
      2. Choke points<\/li>\n
      3. Process deyails, operators<\/li>\n<\/ol>\n<\/li>\n
      4. Proof of Concept Malware Sample(s)<\/strong>\n
          \n
        1. Get sample, tools or script etc.<\/li>\n
        2. Run PoC simulation<\/li>\n<\/ol>\n<\/li>\n
        3. Identify Data Sources<\/strong>\n
            \n
          1. Consult MITRE website for data sources<\/li>\n
          2. Create data model<\/li>\n<\/ol>\n<\/li>\n
          3. Build the Detection<\/strong>\n
              \n
            1. Final detection data model<\/li>\n
            2. Identify event ID<\/li>\n
            3. Specify target process<\/li>\n
            4. Pivoting to investigation<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

               <\/p>\n

              Alerting and Detection Strategy (ADS)<\/strong><\/h4>\n

              The Alerting and Detection Strategy (ADS) concept was published by PALANTIR in 2017 and the original can be found here<\/a><\/strong>.<\/p>\n

              Based on Palantir, the ADS framework \u201chelps us frame hypothesis generation, testing, and management of new ADS<\/em>\u201d.<\/p>\n

               <\/p>\n

              The <\/strong>former ADS <\/strong>framework <\/strong>by Palantir <\/strong>c<\/strong>ontains<\/strong> the following sections:<\/strong><\/h5>\n
                \n
              1. Goal<\/li>\n
              2. Categorization<\/li>\n
              3. Strategy Abstract<\/li>\n
              4. Technical Context<\/li>\n
              5. Blind Spots and Assumptions<\/li>\n
              6. False Positives<\/li>\n
              7. Validation<\/li>\n
              8. Priority<\/li>\n
              9. Response<\/li>\n
              10. Additional Resources<\/li>\n<\/ol>\n

                 <\/p>\n

                Custom ADS Framework with added parts by DCG420:<\/strong><\/h5>\n
                  \n
                1. Goal<\/li>\n
                2. Categorization<\/li>\n
                3. Strategy Abstract<\/li>\n
                4. Technical Context<\/li>\n
                5. Blind Spots and Assumptions<\/li>\n
                6. False Positives<\/li>\n
                7. Validation<\/li>\n
                8. Priority<\/li>\n
                9. Response<\/li>\n
                10. Additional Resources<\/li>\n
                11. The detection rule (SIGMA, Generic rule)<\/strong><\/li>\n
                12. ACD elements use for Blind spots<\/strong><\/li>\n<\/ol>\n

                   <\/p>\n

                  For better documentation we added parts for:<\/strong><\/h5>\n
                    \n
                  1. The detection rule (SIGMA<\/a> rules, Generic rules) <\/strong>– to maximize the portability of the rules, we chose the SIGMA universal format, which provides a simple conversion to the SIEM language found in the defender environment.<\/li>\n
                  2. ACD elements use for Blind spots \u2013 <\/strong>ACD elements correspond to Engage ID according to MITRE Engage<\/strong><\/a>.<\/li>\n<\/ol>\n
                    <\/h6>\n
                    The practical application of this custom methodology will be discussed in future articles.<\/h6>\n
                    <\/h6>\n
                    Sources:<\/strong><\/h6>\n

                    https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2<\/a><\/p>\n

                    https:\/\/engage.mitre.org<\/a><\/p>\n

                    https:\/\/attack.mitre.org<\/a><\/p>\n

                    https:\/\/github.com\/SigmaHQ\/sigma<\/a><\/p>\n

                     <\/p>\n

                     <\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

                      Custom detection engineering framework The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.   The problem of insufficient documentation: – Good documentation provides good insight into the detection setup and defines the criteria for false positives. – Poor, vague documentation or a […]<\/p>\n","protected":false},"author":3,"featured_media":7098,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[110,88,109,108,87,114],"tags":[113,111,119,120,112,118,115,116,117],"_links":{"self":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7103"}],"collection":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/comments?post=7103"}],"version-history":[{"count":2,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7103\/revisions"}],"predecessor-version":[{"id":7111,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7103\/revisions\/7111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/media\/7098"}],"wp:attachment":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/media?parent=7103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/categories?post=7103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/tags?post=7103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}