Githabification of Information Security

Towards an open, vendor-independent and community-friendly model for accelerating Information Security training

December 8, 2019

John Lambert JohnLaTwC, Distinguished Engineer, Microsoft Threat Intelligence Center

annotation

The combination of Information Security Specialists within the global community accelerates subject-specific training.

, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .

, , , .

" — , — ." —

. , . , 10 000 , . , — , , , . , , , — .

, ? , .

, , . , , . " ". : , . .

" , " —

. . - . , — . .

, , MITRE ATT&CK. , . " Windows" T1015. , , , .

MITRE ATT&CK :

• . ATT&CK , , , ( , , ).
• . ATT&CK . , MITRE. ATT&CK , ( ), , .
• . ATT&CK , ATT&CK , , , . .

. :

• ATT&CK . , . Palo Alto, ATT&CK Sofacy:
  
• ATT&CK Navigator MITRE , . APT 28 ( ) APT 29:
  
• — Atomic Red Team Red Canary, ATT&CK. ", ", " " . ATT&CK Atomic Red Team, ( ):
  

, MITRE ATT&CK — , , .

" " — .

— , . . . , " ". MITRE ATT&CK.

T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .

, , , . (SIEM/LM ) .

: Splunk Search Processing Language (SPL), ElasticSearch — Domain Specific Language (DSL), Microsoft Defender ATP — Keyword Query Language (KQL). , Yara Snort ...

Sigma, , . Sigma — , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .

Sigma ATT&CK T1015, ? :

Sigma, ? :

• Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
• . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
• , , . Sigma Yara Snort.

MITRE ATT&CK , , Sigma , , - . , , .

" . ." — , " "

, , . , . . ? , ? - , ? , ?

. , - , . Jupyter Notebook.

Jupyter?

Jupyter — , , . :

• — Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter — GitHub 5 Notebook.
• Notebook . , . GitHub, . - Notebook, . . Notebook — , .
• Jupyter Notebook . Jupyter Notebook - "", — , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .

Jupyter Notebook

Notebook . — , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :

PowerShell, :

Base64, :

, :

API, :

, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn — PowerShell Downgrade Attack ". — (Dave Kennedy, @HackingDave).

, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:

Jupyter , , , , . , Jupyter . Jupyter Notebook .

. , , . MITRE ATT&CK , , ( Office 365), .

Office 365 MITRE ATT&CK:

, (Swetha Prabakaran).

(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" — . Pull Request Sigma:

— Open Security Collaborative Development (OSCD) — . 2019 , Sigma MITRE ATT&CK. Sigma 40%:

.

, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.

, , CERT, , , . , , . , .

? :

• , .
• , — "Pull Request"
• GitHub.com, . , GitHub, — .

, , , , .

, ? :

, :

• Sigma
• Jupyter Notebook MyBinder
• Python -

:

• Sigma , JoeSecurity
• Jupyter Notebook,
• Python

:

• ,
• Sigma
• MITRE ATT&CK
• , Sigma, , MORDOR

:

• -, ATT&CK, Sigma Jupyter Notebook
• Python Jupyter Notebook
• , MITRE ATT&CK, Sigma Jupyter Notebook

CERT , :

• Sigma
• MITRE ATT&CK

(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .

• https://attack.mitre.org/
• https://pan-unit42.imtqy.com/playbook_viewer/
• https://mitre-attack.imtqy.com/attack-navigator/enterprise/
• https://atomicredteam.io/testing
• https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html
• https://yara.readthedocs.io/
• https://github.com/Neo23x0/sigma
• https://uncoder.io/
• https://socprime.com/
• https://jupyter.org/
• https://github.com/parente/nbestimate
• https://mybinder.org/
• https://mybinder.org/v2/gh/parente/nbestimate/master?filepath=estimate.src.ipynb
• https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7
• Learn Python: https://www.youtube.com/playlist?list=PLlrxD0HtieHhS8VzuMCfQD4uJ9yne1mE6
• Python development: https://www.pluralsight.com/browse/software-development/python
• https://github.com/nteract/papermill
• https://attack.mitre.org/resources/contribute/
• https://github.com/Neo23x0/signature-base/tree/master/yara
• http://blog.joesecurity.org/2019/10/joe-sandbox-sigma.html
• https://github.com/atc-project/atomic-threat-coverage
• https://medium.com/@cyb3rops/an-overlooked-but-intriguing-sigma-use-case-221987f7b588
• https://www.netscylla.com/blog/2019/10/28/Jupyter-Notebooks-for-Incident-Response.html
• https://github.com/hunters-forge/mordor/
• https://github.com/trustedsec/unicorn
• https://github.com/Microsoft/msticpy
• https://www.joesecurity.org/blog/8225577975210857708
• https://twitter.com/THE_HELK
• MITRE ATT&CKcon 2.0: https://www.youtube.com/playlist?list=PLkTApXQou_8KXWrk0G83QQbNLvspAo-Qk
• https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4
• https://github.com/hunters-forge/ThreatHunter-Playbook

, . , .

ATT&CK

• Sigma Yara
• , TTP, MORDOR
• ,

Sigma

• , , (join), ;
• ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)

Jupyter

• Python
• :
• (IP-, , ..)
• , ,