Githabificación de la seguridad de la información

Hacia un modelo abierto, independiente del vendedor y amigable con la comunidad para acelerar la capacitación en Seguridad de la Información

8 de diciembre de 2019

John Lambert JohnLaTwC, Distinguido ingeniero, Microsoft Threat Intelligence Center

anotación

La combinación de especialistas en seguridad de la información dentro de la comunidad global acelera la capacitación específica del tema.

, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .

, , , .

" — , — ." —

. , . , 10 000 , . , — , , , . , , , — .

, ? , .

, , . , , . " ". : , . .

" , " —

. . - . , — . .

, , MITRE ATT&CK. , . " Windows" T1015. , , , .

MITRE ATT&CK :

• . ATT&CK , , , ( , , ).
• . ATT&CK . , MITRE. ATT&CK , ( ), , .
• . ATT&CK , ATT&CK , , , . .

. :

• ATT&CK . , . Palo Alto, ATT&CK Sofacy:
  
• ATT&CK Navigator MITRE , . APT 28 ( ) APT 29:
  
• — Atomic Red Team Red Canary, ATT&CK. ", ", " " . ATT&CK Atomic Red Team, ( ):
  

, MITRE ATT&CK — , , .

" " — .

— , . . . , " ". MITRE ATT&CK.

T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .

, , , . (SIEM/LM ) .

: Splunk Search Processing Language (SPL), ElasticSearch — Domain Specific Language (DSL), Microsoft Defender ATP — Keyword Query Language (KQL). , Yara Snort ...

Sigma, , . Sigma — , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .

Sigma ATT&CK T1015, ? :

Sigma, ? :

• Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
• . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
• , , . Sigma Yara Snort.

MITRE ATT&CK , , Sigma , , - . , , .

" . ." — , " "

, , . , . . ? , ? - , ? , ?

. , - , . Jupyter Notebook.

Jupyter?

Jupyter — , , . :

• — Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter — GitHub 5 Notebook.
• Notebook . , . GitHub, . - Notebook, . . Notebook — , .
• Jupyter Notebook . Jupyter Notebook - "", — , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .

Jupyter Notebook

Notebook . — , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :

PowerShell, :

Base64, :

, :

API, :

, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn — PowerShell Downgrade Attack ". — (Dave Kennedy, @HackingDave).

, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:

Jupyter , , , , . , Jupyter . Jupyter Notebook .

. , , . MITRE ATT&CK , , ( Office 365), .

Office 365 MITRE ATT&CK:

, (Swetha Prabakaran).

(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" — . Pull Request Sigma:

— Open Security Collaborative Development (OSCD) — . 2019 , Sigma MITRE ATT&CK. Sigma 40%:

.

, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.

, , CERT, , , . , , . , .

? :

• , .
• , — "Pull Request"
• GitHub.com, . , GitHub, — .

, , , , .

, ? :

, :

• Sigma
• Jupyter Notebook MyBinder
• Python -

:

• Sigma , JoeSecurity
• Jupyter Notebook,
• Python

:

• ,
• Sigma
• MITRE ATT&CK
• , Sigma, , MORDOR

:

• -, ATT&CK, Sigma Jupyter Notebook
• Python Jupyter Notebook
• , MITRE ATT&CK, Sigma Jupyter Notebook

CERT , :

• Sigma
• MITRE ATT&CK

(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .

• https://attack.mitre.org/
• https://pan-unit42.imtqy.com/playbook_viewer/
• https://mitre-attack.imtqy.com/attack-navigator/enterprise/
• https://atomicredteam.io/testing
• https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html
• https://yara.readthedocs.io/
• https://github.com/Neo23x0/sigma
• https://uncoder.io/
• https://socprime.com/
• https://jupyter.org/
• https://github.com/parente/nbestimate
• https://mybinder.org/
• https://mybinder.org/v2/gh/parente/nbestimate/master?filepath=estimate.src.ipynb
• https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7
• Learn Python: https://www.youtube.com/playlist?list=PLlrxD0HtieHhS8VzuMCfQD4uJ9yne1mE6
• Python development: https://www.pluralsight.com/browse/software-development/python
• https://github.com/nteract/papermill
• https://attack.mitre.org/resources/contribute/
• https://github.com/Neo23x0/signature-base/tree/master/yara
• http://blog.joesecurity.org/2019/10/joe-sandbox-sigma.html
• https://github.com/atc-project/atomic-threat-coverage
• https://medium.com/@cyb3rops/an-overlooked-but-intriguing-sigma-use-case-221987f7b588
• https://www.netscylla.com/blog/2019/10/28/Jupyter-Notebooks-for-Incident-Response.html
• https://github.com/hunters-forge/mordor/
• https://github.com/trustedsec/unicorn
• https://github.com/Microsoft/msticpy
• https://www.joesecurity.org/blog/8225577975210857708
• https://twitter.com/THE_HELK
• MITRE ATT&CKcon 2.0: https://www.youtube.com/playlist?list=PLkTApXQou_8KXWrk0G83QQbNLvspAo-Qk
• https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4
• https://github.com/hunters-forge/ThreatHunter-Playbook

, . , .

ATT&CK

• Sigma Yara
• , TTP, MORDOR
• ,

Sigma

• , , (join), ;
• ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)

Jupyter

• Python
• :
• (IP-, , ..)
• , ,