Towards an open, vendor-independent and community-friendly model for accelerating Information Security training
December 8, 2019
John Lambert JohnLaTwC, Distinguished Engineer, Microsoft Threat Intelligence Center
annotation
The combination of Information Security Specialists within the global community accelerates subject-specific training.
, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .
, , , .
![alt text](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
" β , β ." β
. , . , 10 000 , . , β , , , . , , , β .
, ? , .
, , . , , . " ". : , . .
" , " β
. . - . , β . .
, , MITRE ATT&CK. , . " Windows" T1015. , , , .
![T1015 Description alt text](https://habrastorage.org/webt/ok/ru/zo/okruzouksd08lfxa4vfhdycpfto.png)
![T1015 Examples and Mitigations alt text](https://habrastorage.org/webt/4x/xn/zv/4xxnzveupcbkq_2pzd2fufdr9hg.png)
![T1015 References alt text](https://habrastorage.org/webt/ds/ta/ju/dstajuodcsx8oazunuuaub34h6s.png)
MITRE ATT&CK :
- . ATT&CK , , , ( , , ).
- . ATT&CK . , MITRE. ATT&CK , ( ), , .
- . ATT&CK , ATT&CK , , , . .
. :
, MITRE ATT&CK β , , .
" " β .
β , . . . , " ". MITRE ATT&CK.
T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .
, , , . (SIEM/LM ) .
: Splunk Search Processing Language (SPL), ElasticSearch β Domain Specific Language (DSL), Microsoft Defender ATP β Keyword Query Language (KQL). , Yara Snort ...
Sigma, , . Sigma β , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .
![Sigma project alt text](https://habrastorage.org/webt/zi/vr/je/zivrje-lb2v7tnuc6pjvym2-7r8.png)
Sigma ATT&CK T1015, ? :
![Sigma rule for the Sticky Keys attack alt text](https://habrastorage.org/webt/lc/df/ay/lcdfaybl91az67vqotova7vg2ss.png)
Sigma, ? :
- Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
- . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
- , , . Sigma Yara Snort.
MITRE ATT&CK , , Sigma , , - . , , .
" . ." β , " "
, , . , . . ? , ? - , ? , ?
. , - , . Jupyter Notebook.
Jupyter?
Jupyter β , , . :
- β Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter β GitHub 5 Notebook.
- Notebook . , . GitHub, . - Notebook, . . Notebook β , .
- Jupyter Notebook . Jupyter Notebook - "", β , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .
Jupyter Notebook
Notebook . β , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :
![alt text](https://habrastorage.org/webt/cs/yf/pt/csyfpt5peogfp_ups7bmho1rstq.png)
PowerShell, :
![alt text](https://habrastorage.org/webt/m4/m2/94/m4m294owayjqvzisizjlyatm9om.png)
Base64, :
![alt text](https://habrastorage.org/webt/w8/qa/yc/w8qayckeoqfzkglq-xhfhcntsfy.png)
, :
![alt text](https://habrastorage.org/webt/ur/wa/zm/urwazmktvdbyrfbsj9nwvzg4g2q.png)
API, :
![alt text](https://habrastorage.org/webt/bq/ce/9m/bqce9mpbq6fjkra6hwg9fe0a-qi.png)
, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn β PowerShell Downgrade Attack ". β (Dave Kennedy, @HackingDave).
, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:
![alt text](https://habrastorage.org/webt/no/cv/xi/nocvxioygyr3t3oorglfqwglcy4.png)
Jupyter , , , , . , Jupyter . Jupyter Notebook .
. , , . MITRE ATT&CK , , ( Office 365), .
![alt text](https://habrastorage.org/webt/rb/--/ds/rb--ds1p0kbkhceazxbhyf9weba.png)
Office 365 MITRE ATT&CK:
![alt text](https://habrastorage.org/webt/6w/am/1f/6wam1fopoi67vgbc2idnobwdpto.png)
, (Swetha Prabakaran).
(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" β . Pull Request Sigma:
![Sigma rule for finding suspicious PowerShell commands alt text](https://habrastorage.org/webt/kv/ay/d6/kvayd6sh_qs_ajmawarmp8s2m1w.png)
β Open Security Collaborative Development (OSCD) β . 2019 , Sigma MITRE ATT&CK. Sigma 40%:
![Result of the first OSCD Sprint alt text](https://habrastorage.org/webt/tt/ih/ez/ttihezkfxpfcomxes7iqwx8dszc.png)
.
, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.
, , CERT, , , . , , . , .
? :
- , .
- , β "Pull Request"
- GitHub.com, . , GitHub, β .
![alt text](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
, , , , .
, ? :
, :
:
:
:
- -, ATT&CK, Sigma Jupyter Notebook
- Python Jupyter Notebook
- , MITRE ATT&CK, Sigma Jupyter Notebook
CERT , :
(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .
, . , .
ATT&CK
Sigma
- , , (join), ;
- ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)
Jupyter