Githabification de la sécurité de l'information

Vers un modèle ouvert, indépendant du fournisseur et convivial pour accélérer la formation à la sécurité de l'information

8 décembre 2019

John Lambert JohnLaTwC, Ingénieur émérite, Microsoft Threat Intelligence Center

annotation

La combinaison de spécialistes de la sécurité de l'information au sein de la communauté mondiale accélère la formation par sujet.

, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .

, , , .

" — , — ." —

. , . , 10 000 , . , — , , , . , , , — .

, ? , .

, , . , , . " ". : , . .

" , " —

. . - . , — . .

, , MITRE ATT&CK. , . " Windows" T1015. , , , .

MITRE ATT&CK :

• . ATT&CK , , , ( , , ).
• . ATT&CK . , MITRE. ATT&CK , ( ), , .
• . ATT&CK , ATT&CK , , , . .

. :

• ATT&CK . , . Palo Alto, ATT&CK Sofacy:
  
• ATT&CK Navigator MITRE , . APT 28 ( ) APT 29:
  
• — Atomic Red Team Red Canary, ATT&CK. ", ", " " . ATT&CK Atomic Red Team, ( ):
  

, MITRE ATT&CK — , , .

" " — .

— , . . . , " ". MITRE ATT&CK.

T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .

, , , . (SIEM/LM ) .

: Splunk Search Processing Language (SPL), ElasticSearch — Domain Specific Language (DSL), Microsoft Defender ATP — Keyword Query Language (KQL). , Yara Snort ...

Sigma, , . Sigma — , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .

Sigma ATT&CK T1015, ? :

Sigma, ? :

• Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
• . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
• , , . Sigma Yara Snort.

MITRE ATT&CK , , Sigma , , - . , , .

" . ." — , " "

, , . , . . ? , ? - , ? , ?

. , - , . Jupyter Notebook.

Jupyter?

Jupyter — , , . :

• — Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter — GitHub 5 Notebook.
• Notebook . , . GitHub, . - Notebook, . . Notebook — , .
• Jupyter Notebook . Jupyter Notebook - "", — , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .

Jupyter Notebook

Notebook . — , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :

PowerShell, :

Base64, :

, :

API, :

, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn — PowerShell Downgrade Attack ". — (Dave Kennedy, @HackingDave).

, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:

Jupyter , , , , . , Jupyter . Jupyter Notebook .

. , , . MITRE ATT&CK , , ( Office 365), .

Office 365 MITRE ATT&CK:

, (Swetha Prabakaran).

(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" — . Pull Request Sigma:

— Open Security Collaborative Development (OSCD) — . 2019 , Sigma MITRE ATT&CK. Sigma 40%:

.

, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.

, , CERT, , , . , , . , .

? :

• , .
• , — "Pull Request"
• GitHub.com, . , GitHub, — .

, , , , .

, ? :

, :

• Sigma
• Jupyter Notebook MyBinder
• Python -

:

• Sigma , JoeSecurity
• Jupyter Notebook,
• Python

:

• ,
• Sigma
• MITRE ATT&CK
• , Sigma, , MORDOR

:

• -, ATT&CK, Sigma Jupyter Notebook
• Python Jupyter Notebook
• , MITRE ATT&CK, Sigma Jupyter Notebook

CERT , :

• Sigma
• MITRE ATT&CK

(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .

• https://attack.mitre.org/
• https://pan-unit42.imtqy.com/playbook_viewer/
• https://mitre-attack.imtqy.com/attack-navigator/enterprise/
• https://atomicredteam.io/testing
• https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html
• https://yara.readthedocs.io/
• https://github.com/Neo23x0/sigma
• https://uncoder.io/
• https://socprime.com/
• https://jupyter.org/
• https://github.com/parente/nbestimate
• https://mybinder.org/
• https://mybinder.org/v2/gh/parente/nbestimate/master?filepath=estimate.src.ipynb
• https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7
• Learn Python: https://www.youtube.com/playlist?list=PLlrxD0HtieHhS8VzuMCfQD4uJ9yne1mE6
• Python development: https://www.pluralsight.com/browse/software-development/python
• https://github.com/nteract/papermill
• https://attack.mitre.org/resources/contribute/
• https://github.com/Neo23x0/signature-base/tree/master/yara
• http://blog.joesecurity.org/2019/10/joe-sandbox-sigma.html
• https://github.com/atc-project/atomic-threat-coverage
• https://medium.com/@cyb3rops/an-overlooked-but-intriguing-sigma-use-case-221987f7b588
• https://www.netscylla.com/blog/2019/10/28/Jupyter-Notebooks-for-Incident-Response.html
• https://github.com/hunters-forge/mordor/
• https://github.com/trustedsec/unicorn
• https://github.com/Microsoft/msticpy
• https://www.joesecurity.org/blog/8225577975210857708
• https://twitter.com/THE_HELK
• MITRE ATT&CKcon 2.0: https://www.youtube.com/playlist?list=PLkTApXQou_8KXWrk0G83QQbNLvspAo-Qk
• https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4
• https://github.com/hunters-forge/ThreatHunter-Playbook

, . , .

ATT&CK

• Sigma Yara
• , TTP, MORDOR
• ,

Sigma

• , , (join), ;
• ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)

Jupyter

• Python
• :
• (IP-, , ..)
• , ,