Hacia un modelo abierto, independiente del vendedor y amigable con la comunidad para acelerar la capacitación en Seguridad de la Información
8 de diciembre de 2019
John Lambert JohnLaTwC, Distinguido ingeniero, Microsoft Threat Intelligence Center
anotación
La combinación de especialistas en seguridad de la información dentro de la comunidad global acelera la capacitación específica del tema.
, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .
, , , .
![texto alternativo](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
" — , — ." —
. , . , 10 000 , . , — , , , . , , , — .
, ? , .
, , . , , . " ". : , . .
" , " —
. . - . , — . .
, , MITRE ATT&CK. , . " Windows" T1015. , , , .
![T1015 Descripción texto alternativo](https://habrastorage.org/webt/ok/ru/zo/okruzouksd08lfxa4vfhdycpfto.png)
![T1015 Ejemplos y mitigaciones texto alternativo](https://habrastorage.org/webt/4x/xn/zv/4xxnzveupcbkq_2pzd2fufdr9hg.png)
![Referencias T1015 texto alternativo](https://habrastorage.org/webt/ds/ta/ju/dstajuodcsx8oazunuuaub34h6s.png)
MITRE ATT&CK :
- . ATT&CK , , , ( , , ).
- . ATT&CK . , MITRE. ATT&CK , ( ), , .
- . ATT&CK , ATT&CK , , , . .
. :
, MITRE ATT&CK — , , .
" " — .
— , . . . , " ". MITRE ATT&CK.
T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .
, , , . (SIEM/LM ) .
: Splunk Search Processing Language (SPL), ElasticSearch — Domain Specific Language (DSL), Microsoft Defender ATP — Keyword Query Language (KQL). , Yara Snort ...
Sigma, , . Sigma — , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .
![Proyecto Sigma texto alternativo](https://habrastorage.org/webt/zi/vr/je/zivrje-lb2v7tnuc6pjvym2-7r8.png)
Sigma ATT&CK T1015, ? :
![Regla Sigma para el ataque Sticky Keys texto alternativo](https://habrastorage.org/webt/lc/df/ay/lcdfaybl91az67vqotova7vg2ss.png)
Sigma, ? :
- Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
- . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
- , , . Sigma Yara Snort.
MITRE ATT&CK , , Sigma , , - . , , .
" . ." — , " "
, , . , . . ? , ? - , ? , ?
. , - , . Jupyter Notebook.
Jupyter?
Jupyter — , , . :
- — Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter — GitHub 5 Notebook.
- Notebook . , . GitHub, . - Notebook, . . Notebook — , .
- Jupyter Notebook . Jupyter Notebook - "", — , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .
Jupyter Notebook
Notebook . — , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :
![texto alternativo](https://habrastorage.org/webt/cs/yf/pt/csyfpt5peogfp_ups7bmho1rstq.png)
PowerShell, :
![texto alternativo](https://habrastorage.org/webt/m4/m2/94/m4m294owayjqvzisizjlyatm9om.png)
Base64, :
![texto alternativo](https://habrastorage.org/webt/w8/qa/yc/w8qayckeoqfzkglq-xhfhcntsfy.png)
, :
![texto alternativo](https://habrastorage.org/webt/ur/wa/zm/urwazmktvdbyrfbsj9nwvzg4g2q.png)
API, :
![texto alternativo](https://habrastorage.org/webt/bq/ce/9m/bqce9mpbq6fjkra6hwg9fe0a-qi.png)
, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn — PowerShell Downgrade Attack ". — (Dave Kennedy, @HackingDave).
, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:
![texto alternativo](https://habrastorage.org/webt/no/cv/xi/nocvxioygyr3t3oorglfqwglcy4.png)
Jupyter , , , , . , Jupyter . Jupyter Notebook .
. , , . MITRE ATT&CK , , ( Office 365), .
![texto alternativo](https://habrastorage.org/webt/rb/--/ds/rb--ds1p0kbkhceazxbhyf9weba.png)
Office 365 MITRE ATT&CK:
![texto alternativo](https://habrastorage.org/webt/6w/am/1f/6wam1fopoi67vgbc2idnobwdpto.png)
, (Swetha Prabakaran).
(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" — . Pull Request Sigma:
![Regla Sigma para encontrar comandos sospechosos de PowerShell texto alternativo](https://habrastorage.org/webt/kv/ay/d6/kvayd6sh_qs_ajmawarmp8s2m1w.png)
— Open Security Collaborative Development (OSCD) — . 2019 , Sigma MITRE ATT&CK. Sigma 40%:
![Resultado del primer Sprint OSCD texto alternativo](https://habrastorage.org/webt/tt/ih/ez/ttihezkfxpfcomxes7iqwx8dszc.png)
.
, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.
, , CERT, , , . , , . , .
? :
- , .
- , — "Pull Request"
- GitHub.com, . , GitHub, — .
![texto alternativo](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
, , , , .
, ? :
, :
:
:
:
- -, ATT&CK, Sigma Jupyter Notebook
- Python Jupyter Notebook
- , MITRE ATT&CK, Sigma Jupyter Notebook
CERT , :
(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .
, . , .
ATT&CK
Sigma
- , , (join), ;
- ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)
Jupyter