建立开放,独立于供应商且对社区友好的模型,以加速信息安全培训
2019年12月8日
约翰·兰伯特 约翰·拉图微软威胁情报中心杰出工程师
注解
全球社区中信息安全专家的组合加快了针对特定主题的培训。
, MITRE ATT&CK, , Sigma , Jupyter Notebooks, . .
, , , .
![替代文字](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
" — , — ." —
. , . , 10 000 , . , — , , , . , , , — .
, ? , .
, , . , , . " ". : , . .
" , " —
. . - . , — . .
, , MITRE ATT&CK. , . " Windows" T1015. , , , .
![T1015说明 替代文字](https://habrastorage.org/webt/ok/ru/zo/okruzouksd08lfxa4vfhdycpfto.png)
![T1015示例和缓解措施 替代文字](https://habrastorage.org/webt/4x/xn/zv/4xxnzveupcbkq_2pzd2fufdr9hg.png)
![T1015参考 替代文字](https://habrastorage.org/webt/ds/ta/ju/dstajuodcsx8oazunuuaub34h6s.png)
MITRE ATT&CK :
- . ATT&CK , , , ( , , ).
- . ATT&CK . , MITRE. ATT&CK , ( ), , .
- . ATT&CK , ATT&CK , , , . .
. :
, MITRE ATT&CK — , , .
" " — .
— , . . . , " ". MITRE ATT&CK.
T1015, , , . cmd.exe, , , winlogon.exe SYSTEM (). .
, , , . (SIEM/LM ) .
: Splunk Search Processing Language (SPL), ElasticSearch — Domain Specific Language (DSL), Microsoft Defender ATP — Keyword Query Language (KQL). , Yara Snort ...
Sigma, , . Sigma — , (@cyb3rops) (@blubbfiction), ("") . , Sigma , Splunk, ElasticSearch, QRadar . SOC Prime - https://uncoder.io/, Sigma, . Sigma Sigma . Sigma .
![西格玛项目 替代文字](https://habrastorage.org/webt/zi/vr/je/zivrje-lb2v7tnuc6pjvym2-7r8.png)
Sigma ATT&CK T1015, ? :
![粘滞键攻击的Sigma规则 替代文字](https://habrastorage.org/webt/lc/df/ay/lcdfaybl91az67vqotova7vg2ss.png)
Sigma, ? :
- Sigma , ( , , MITRE ATT&CK ..). Sigma , , . , , .
- . Sigma SIEM/LM , . . Sigma , (, , ). , Red Teaming, Sigma, Purple Teaming.
- , , . Sigma Yara Snort.
MITRE ATT&CK , , Sigma , , - . , , .
" . ." — , " "
, , . , . . ? , ? - , ? , ?
. , - , . Jupyter Notebook.
Jupyter?
Jupyter — , , . :
- — Notebook. , , . . Notebook , , . Notebook Python ( ) , Pandas. , Notebook . Jupyter — GitHub 5 Notebook.
- Notebook . , . GitHub, . - Notebook, . . Notebook — , .
- Jupyter Notebook . Jupyter Notebook - "", — , Notebook ( Python, .NET ) . Notebook Windows, Linux, Mac . , , .
Jupyter Notebook
Notebook . — , , . : PowerShell, . , Magic Unicorn, . Notebook , Base64 , . CyberChef :
![替代文字](https://habrastorage.org/webt/cs/yf/pt/csyfpt5peogfp_ups7bmho1rstq.png)
PowerShell, :
![替代文字](https://habrastorage.org/webt/m4/m2/94/m4m294owayjqvzisizjlyatm9om.png)
Base64, :
![替代文字](https://habrastorage.org/webt/w8/qa/yc/w8qayckeoqfzkglq-xhfhcntsfy.png)
, :
![替代文字](https://habrastorage.org/webt/ur/wa/zm/urwazmktvdbyrfbsj9nwvzg4g2q.png)
API, :
![替代文字](https://habrastorage.org/webt/bq/ce/9m/bqce9mpbq6fjkra6hwg9fe0a-qi.png)
, Windows API (InternetConnectA, HttpSendRequestA, ..) , (VirtualAlloc), : "Magic Unicorn — PowerShell Downgrade Attack ". — (Dave Kennedy, @HackingDave).
, Notebook, . , (Roberto Rodriguez) , Jupyter Notebook . ThreatHunterPlaybook Project Jupyter . Netscylla , Notebook . Notebook, GitHub, binder:
![替代文字](https://habrastorage.org/webt/no/cv/xi/nocvxioygyr3t3oorglfqwglcy4.png)
Jupyter , , , , . , Jupyter . Jupyter Notebook .
. , , . MITRE ATT&CK , , ( Office 365), .
![替代文字](https://habrastorage.org/webt/rb/--/ds/rb--ds1p0kbkhceazxbhyf9weba.png)
Office 365 MITRE ATT&CK:
![替代文字](https://habrastorage.org/webt/6w/am/1f/6wam1fopoi67vgbc2idnobwdpto.png)
, (Swetha Prabakaran).
(Florian Roth, @cyb3rops) Sigma GitHub. , "Pull request" — . Pull Request Sigma:
![查找可疑PowerShell命令的Sigma规则 替代文字](https://habrastorage.org/webt/kv/ay/d6/kvayd6sh_qs_ajmawarmp8s2m1w.png)
— Open Security Collaborative Development (OSCD) — . 2019 , Sigma MITRE ATT&CK. Sigma 40%:
![第一次OSCD Sprint的结果 替代文字](https://habrastorage.org/webt/tt/ih/ez/ttihezkfxpfcomxes7iqwx8dszc.png)
.
, . , . , MITRE ATT&CK. Sigma. Jupyter Notebook.
, , CERT, , , . , , . , .
? :
- , .
- , — "Pull Request"
- GitHub.com, . , GitHub, — .
![替代文字](https://habrastorage.org/webt/qv/rt/mg/qvrtmgupv5mzb5y_r_ekir54cqk.png)
, , , , .
, ? :
, :
:
:
:
- -, ATT&CK, Sigma Jupyter Notebook
- Python Jupyter Notebook
- , MITRE ATT&CK, Sigma Jupyter Notebook
CERT , :
(Freddy Dezeure, @FDezeure), (Florian Roth, @cyb3rops), (Thomas Patzke, @blubbfiction), (Leah Lease, @LeahLease), (Tim Burrell, @TimbMsft), (Ian Hellen, @ianhellen) (Roberto Rodriguez, @Cyb3rWard0g) , , , , (@denisbalan), (@noesall), (@zinint), (@MazahakaJay), , - (@SuslikDaRete), (@l1c3t), (@AlienJolka), Oleg Chepurchenko, Michael Tyomkin, Sveta Gaivoronski, Fanta Orr, (@yugoslavskiy) .
, . , .
ATT&CK
Sigma
- , , (join), ;
- ( , , "process_creation", Sysmon Event ID 1 Windows Event ID 4688)
Jupyter