One of the biggest challenges in today's SOC is to identify a starting point for building a threat detection usecase library. The process described below is purely based on my understanding and interpretation of the referenced technologies / tools and how we can make use of them to streamline the entire process of usecase creation.
Requesting the audience to have basic understanding of below topics before jumping into the described process for better understanding,
The briefing will primarily focus on how we can build a vendor neutral SOC team having a threat usecase library built over SIGMA. Going forward, we will use a generic name "BlueEngine" which refers back to the any of the SOC technologies such as Security Information and Event Management(SIEM), Network Detection and Response(NDR), Endpoint Detection and Response(EDR) which is in your current scope of work.
I have classified the trigger source of the use-case creation process into three categories as shown below,
"Existing Data Sources" : Gathering information about your existing "BlueEngine" integrated devices and creating usecase based on the data ingested. The data can be of any forms such as "Event Logs", "Network Flows", etc., [more easiest way.. isn't it ?]
"Threat Intelligence" : Gathering information about the TTP of an attacker / group as listed in Government / Non-Government Threat Inteliigence reports, Internal forensics reports, any recent IR reports, etc.,
"Red Teaming / Penetration Testing" : Recent Red Teaming / Penetration Testing reports which helps to narrow down our weakest area and focus on enhancing detections around the "Tactics", "Techniques" or "Sub-Techniques". which was exploited without being detected by Blue team.
This phase is broken into 5 stages as listed below,
Stage2(S2) is the convergence point in all three phases [A1, A2, A3]
Our goal in this phase is to identify the data source to focus. MITRE ATT&CK "Data Sources" provides the list of data sources and by doing some homework, we can understand the importance of data sources and their major role in creating a usecase library. Having both MITRE ATT&CK & DeTT&CT FRAMEWORK in hand, I was able to indetify the number of "Techniques" and "Sub-Techniques" which can be covered by each data source. Screenshot as provided in DeTT&CT FRAMEWORK github [higher the number, more brighter your detection matrix...]
[data trimmed to show only top 6]
In addition to the above, below data points need to be considered while finalizing your data source to work with,
more details about the table can be found in DeTT&CT FRAMEWORK
I would recommend you to prioritize below data sources at initial stages (since the associated information might already be available or easy to ingest into your "BlueEngine").
- Command : Command Execution (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)
- Process : Process Creation (Birth of a new running process (ex: Windows EID 4688)
- Network Traffic : Flow (Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)
Consider I have choosen to start with "Command : Command Execution" for windows platform. It would be great if I could see what "Techniques", "Sub-Techniques" does this cover in a MITRE map, isn't it ? Yes, we can leverage the functionality of DeTT&CT FRAMEWORK to show us the matrix
FS-ISAC TaHiTI excelbook is designed in such way it maps the usecase to "Kill Chain" phases. Wherein in our case, we will align them to MITRE ATT&CK. Below changes to be performed,
L1 Sheet - MITRE TACTICS
L2 Sheet - MITRE TECHNIQUES
L3 Sheet - Specific usecases relating directly to technique or sub-technique associated with the tagged technique
The modified version of TaHiTI is available here.
We have identified the logsource to focus (Command : Command Execution), we have the compiled MITRE matrix, we have our custom TaHiTI workbook, so what's next ? Create usecase ??....nahhhhh !!! Hunt before creating usecase ??....Yesss.
Consider you focus on creating usecase for "Execution" - Tactic and its associated 5 "Techniques" as per the compiled matrix from previous step. Start the threat hunting process and fill in all required fields in L3 sheet of TaHiTI workbook and complete the hunting process for a given Technique or Sub-Technique.
Now we came to the final part of ADHYAYAM I usecase creation. Once hunt is completed, we will create an associated sigma considering the "false positive" factor as well for each sigma rule. Considering the below facts, the rule will either proposed as an usecase to be deployed in your "BlueEngine" or it remains as a hunt book,
- The number possible FP it can generate based the techniques nature -- example: T1059.006
- Based on the observation out from TaHiTI output
LOOKOUTS
- Sigma conf file should be modified accordingly to match your index / field values. Yes, the conf files are super flexible to have this modifications done.
To adopt this process, the team should have core understanding of the technologies involved. A successful execution of this model in a SOC will produce considerable amount of change in their use-case repositiory. Feel free to reach me through email ([email protected]) for queries and feedback.
SOC - THE BLUE NIGHTINGALE © 2022 by Kaviarasan Asokan is licensed under Attribution 4.0 International. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/