2. Agenda
§ Conventional Threat Detection
§ Traces of Modern Threats
§ Lack of Standardization and Exchange
§ Sigma – The Open Source Approach
§ Examples
§ Outlook: Roadmap, RFI, Support
3. Conventional Threat Detection
Alert triggers focus mainly on the following events:
§ Network Events
§ Lower ISO-OSI Layers 1-4
§ Port Scans, Ping Sweeps,Xmas Scan, Smurf Attack ;)
§ Failed Logons
§ Multiple Failed
Logons
§ Multiple Failed
Logons followed by
Successful Logon
(^The single most
worn-out correlation
example)
5. Modern Threat Priorities
Malware
§ Distribution
§ Exfiltration of Secrets / Ransom
Advanced Persistent Threats
§ Exfiltration of Secrets
§ Large-Scale and Persistent Compromise
§ Stealth
6. Traces of Modern Threats
Malware
§ Distribution
> Port Scans, Sweeps, Failed Logons
§ Exfiltration of Secrets / Ransom
> C2 Connect, Ransom Note
Advanced Persistent Threats
§ Exfiltration of Secrets
> C2 Connect, P2P Communication
§ Large-Scale and Persistent Compromise
> PTH, PTT, Rootkits, Backdoors, Built-in (WMI, Sticky Key), Dual User Admin
Tools, Remote Access Tools
§ Stealth
> Valid Accounts, Golden Ticket, DNS/ICMP Exfil, Covert Channel
7. Detection of Modern Threats
Malware - Nothing new needed
§ Smart Antivirus alert processing
§ Report on C2 traffic in proxy blocks
and IDS/IPS alerts
§ Backup/Restore in case of ransomware
§ Analyze and report on samples with Sandbox solutions
8. Detection of Modern Threats
Advanced Persistent Threats
§ Same as for malware threats
(cause malware is used in links of the kill chain)
§ Malware-less Threats
§ Web Shells > web server logs, process monitoring (e.g. Sysmon, Carbon
Black …)
§ PTH, PTT > Smart Windows audit log inspection, process monitoring
§ Dual Use Tools, Scripts > Process monitoring,Application control
(AppLocker), PowerShell / WMI monitoring
§ Backdoors with built-in tools > Process monitoring (integrity analysis –
sig/hash), Registry monitoring, PowerShell / WMI monitoring
9. Problem
§ Conventional threat detection covers the only the
most obvious malicious activity and some extras
§ Is already struggling with false positives
§ Lack of visibility in application layers
§ Lack of signatures for threats in application layers
This is where Sigma steps in
10. § Generic signature format to describe relevant events in log files
§ Open repository for sigma signatures
§ Set of converters that generate searches/queries for different
SIEM / log management systems
13. § Describe your once discovered detection method in Sigma to make it
sharable
§ Share the signature in the appendix of your analysis along with file
hashes and C2 servers
§ Share the signature in threat intel communities - e.g. via MISP
§ Provide Sigma signatures for malicious behavior in your application
(Error messages, access violations, manipulations)
§ Integrate a new log into your SIEM and check the Sigma repository for
available rules
§ Develop an experimental detection method, write a Sigma rule, share
it and ask for feedback
§ Write a rule converter for your custom log analysis tool and process
new Sigma rules automatically
§ Provide a free or commercial feed for Sigma signatures
14. Outlook
§ Public Release – Q1/2017
§ Complete proposal for specification
§ Reasonable example signature set
§ Roadmap 2017
§ First converters for ElasticSearch queries and Splunk
searches
§ Support needed
§ Rule ideas for different log sources
§ QRadar,ArcSight, Carbon Black