{"id":7105,"date":"2023-01-01T19:29:07","date_gmt":"2023-01-01T18:29:07","guid":{"rendered":"https:\/\/dcg420.org\/?p=7105"},"modified":"2023-01-01T19:29:07","modified_gmt":"2023-01-01T18:29:07","slug":"cze-custom-methodology-for-dem-and-ads-with-acd-elements-use","status":"publish","type":"post","link":"https:\/\/dcg420.org\/en\/cze-custom-methodology-for-dem-and-ads-with-acd-elements-use\/","title":{"rendered":"(CZE) Custom methodology for DEM and ADS with ACD elements use"},"content":{"rendered":"<div class=\"bt_rc_container\"><p>&nbsp;<\/p>\n<h4 style=\"font-weight: 400;\"><strong>Custom detection engineering framework<\/strong><\/h4>\n<p style=\"font-weight: 400;\">C\u00edlem na\u0161eho custom framework (metodologie) je usnadit spr\u00e1vu dokumentace a kritick\u00fdch po\u017eadavk\u016f pro efektivn\u00ed funkci detekce (detection engineering).<\/p>\n<p>&nbsp;<\/p>\n<p style=\"font-weight: 400;\"><strong>Probl\u00e9m nedostate\u010dn\u00e9 dokumentace:<\/strong><\/p>\n<ul>\n<li>Dobr\u00e1 dokumentace poskytuje kvalitn\u00ed vhled do nastaven\u00ed detekce a definuje krit\u00e9ria pro false positives.<\/li>\n<li>\u0160patn\u00e1, v\u00e1gn\u00ed dokumentace nebo nekvalitn\u011b dokumentovan\u00fd framework m\u00e1 za n\u00e1sledek zahlcen\u00ed monitorovac\u00edch mechanizm\u016f alerty.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4 style=\"font-weight: 400;\"><strong>Detection engineering methodology (DEM)<\/strong><\/h4>\n<div><span lang=\"EN-US\">Detection engineering methodology (DEM) poskytuje jednoduch\u00fd n\u00e1vod, jak p\u0159istoupit k vytvo\u0159en\u00ed efektivn\u00edho syst\u00e9mu detekce. Jednotliv\u00e9 kroky lze pak jednodu\u0161e namapovat s <\/span><\/div>\n<div><span lang=\"CS\">Alerting and Detection Strategy (ADS)<\/span><span lang=\"EN-US\">.<\/span><\/div>\n<div><\/div>\n<h5><strong>Kroky (v ENG):<\/strong><\/h5>\n<ol>\n<li><strong>Select Target Technique<\/strong>\n<ol>\n<li>AND\/OR subtechnique per <a href=\"https:\/\/attack.mitre.org\" target=\"_blank\" rel=\"noopener\"><strong>MITRE ATT&amp;CK<\/strong><\/a><\/li>\n<\/ol>\n<\/li>\n<li><strong>Research Underlying Technology<\/strong>\n<ol>\n<li>Get initial info from ATT&amp;CK \u2013 TTP description, links, other resources<\/li>\n<li>Choke points<\/li>\n<li>Process deyails, operators<\/li>\n<\/ol>\n<\/li>\n<li><strong>Proof of Concept Malware Sample(s)<\/strong>\n<ol>\n<li>Get sample, tools or script etc.<\/li>\n<li>Run PoC simulation<\/li>\n<\/ol>\n<\/li>\n<li><strong>Identify Data Sources<\/strong>\n<ol>\n<li>Consult MITRE website for data sources<\/li>\n<li>Create data model<\/li>\n<\/ol>\n<\/li>\n<li><strong>Build the Detection<\/strong>\n<ol>\n<li>Final detection data model<\/li>\n<li>Identify event ID<\/li>\n<li>Specify target process<\/li>\n<li>Pivoting to investigation<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h4 style=\"font-weight: 400;\"><strong>Alerting and Detection Strategy (ADS)<\/strong><\/h4>\n<div><span lang=\"CS\">Koncept Alerting and Detection Strategy (ADS) byl zve\u0159ejn\u011bn spole\u010dnost\u00ed Palantir v\u00a0roce 2017 a jeho origin\u00e1l je mo\u017en\u00e9 nal\u00e9zt <\/span><strong><a href=\"https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2\" target=\"_blank\" rel=\"noopener\">here<\/a><\/strong>.<\/div>\n<div><\/div>\n<p style=\"font-weight: 400;\">Na z\u00e1klad\u011b Palantir r\u00e1mec ADS &#8222;n\u00e1m pom\u00e1h\u00e1 vytv\u00e1\u0159et hypot\u00e9zy, testovat a spravovat nov\u00e9 ADS&#8220;.<\/p>\n<p>&nbsp;<\/p>\n<h5 style=\"font-weight: 400;\"><strong>P\u016fvodn\u00ed r\u00e1mec ADS od Palantir obsahuje n\u00e1sleduj\u00edc\u00ed \u010d\u00e1sti (v ENG):<\/strong><\/h5>\n<ol>\n<li style=\"font-weight: 400;\">Goal<\/li>\n<li style=\"font-weight: 400;\">Categorization<\/li>\n<li style=\"font-weight: 400;\">Strategy Abstract<\/li>\n<li style=\"font-weight: 400;\">Technical Context<\/li>\n<li style=\"font-weight: 400;\">Blind Spots and Assumptions<\/li>\n<li style=\"font-weight: 400;\">False Positives<\/li>\n<li style=\"font-weight: 400;\">Validation<\/li>\n<li style=\"font-weight: 400;\">Priority<\/li>\n<li style=\"font-weight: 400;\">Response<\/li>\n<li style=\"font-weight: 400;\">Additional Resources<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h5 style=\"font-weight: 400;\"><strong>Custom ADS Framework s p\u0159idan\u00fdmi \u010d\u00e1stmi od DCG420:<\/strong><\/h5>\n<ol>\n<li style=\"font-weight: 400;\">Goal<\/li>\n<li style=\"font-weight: 400;\">Categorization<\/li>\n<li style=\"font-weight: 400;\">Strategy Abstract<\/li>\n<li style=\"font-weight: 400;\">Technical Context<\/li>\n<li style=\"font-weight: 400;\">Blind Spots and Assumptions<\/li>\n<li style=\"font-weight: 400;\">False Positives<\/li>\n<li style=\"font-weight: 400;\">Validation<\/li>\n<li style=\"font-weight: 400;\">Priority<\/li>\n<li style=\"font-weight: 400;\">Response<\/li>\n<li style=\"font-weight: 400;\">Additional Resources<\/li>\n<li style=\"font-weight: 400;\"><strong> The detection rule (SIGMA, Generic rule)<\/strong><\/li>\n<li style=\"font-weight: 400;\"><strong> ACD elements use for Blind spots<\/strong><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h5 style=\"font-weight: 400;\"><strong>Pro lep\u0161\u00ed dokumentaci ADS jsme p\u0159idali \u010d\u00e1sti pro:<\/strong><\/h5>\n<ol start=\"11\">\n<li style=\"font-weight: 400;\"><strong> The detection rule (<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\" target=\"_blank\" rel=\"noopener\">SIGMA<\/a> rules, Generic rules) <\/strong>&#8211; pro co nejv\u011bt\u0161\u00ed p\u0159enositelnost pravidel jsme zvolili SIGMA universal format, kter\u00fd je poskytuje jednoduchou konverzi do jazyka pro SIEM, kter\u00fd se nach\u00e1z\u00ed v prost\u0159ed\u00ed obr\u00e1nce.<\/li>\n<li style=\"font-weight: 400;\"><strong><strong> ACD elements use for Blind spots <\/strong><\/strong>&#8211;\u00a0<span lang=\"EN-US\">ACD elementy odpov\u00eddaj\u00ed\u00a0<\/span>Engage ID dle\u00a0<a href=\"http:\/\/engage.mitre.org\" target=\"_blank\" rel=\"noopener\"><strong>MITRE Engage<\/strong><\/a>.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h6>Praktick\u00e9mu vyu\u017eit\u00ed t\u00e9to custom metodologie se budeme v\u011bnovat v dal\u0161\u00edch \u010dl\u00e1nc\u00edch.<\/h6>\n<p>&nbsp;<\/p>\n<h4 style=\"font-weight: 400;\"><strong>Zdroje:<\/strong><\/h4>\n<p style=\"font-weight: 400;\"><a href=\"https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2<\/a><\/p>\n<p style=\"font-weight: 400;\"><a href=\"https:\/\/engage.mitre.org\/\" target=\"_blank\" rel=\"noopener\">https:\/\/engage.mitre.org<\/a><\/p>\n<p style=\"font-weight: 400;\"><a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\">https:\/\/attack.mitre.org<\/a><\/p>\n<p style=\"font-weight: 400;\"><a href=\"https:\/\/github.com\/SigmaHQ\/sigma\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/SigmaHQ\/sigma<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>&nbsp; Custom detection engineering framework C\u00edlem na\u0161eho custom framework (metodologie) je usnadit spr\u00e1vu dokumentace a kritick\u00fdch po\u017eadavk\u016f pro efektivn\u00ed funkci detekce (detection engineering). &nbsp; Probl\u00e9m nedostate\u010dn\u00e9 dokumentace: Dobr\u00e1 dokumentace poskytuje kvalitn\u00ed vhled do nastaven\u00ed detekce a definuje krit\u00e9ria pro false positives. \u0160patn\u00e1, v\u00e1gn\u00ed dokumentace nebo nekvalitn\u011b dokumentovan\u00fd framework m\u00e1 za n\u00e1sledek zahlcen\u00ed monitorovac\u00edch mechanizm\u016f alerty. [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":7098,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[110,88,109,108,87,114],"tags":[113,111,119,120,112,118,115,116,117],"_links":{"self":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7105"}],"collection":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/comments?post=7105"}],"version-history":[{"count":5,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7105\/revisions"}],"predecessor-version":[{"id":7110,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7105\/revisions\/7110"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/media\/7098"}],"wp:attachment":[{"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/media?parent=7105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/categories?post=7105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dcg420.org\/en\/wp-json\/wp\/v2\/tags?post=7105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}