Custom detection engineering framework

The goal of our custom framework (methodology) is to facilitate the management of documentation and critical requirements for effective detection engineering.

The problem of insufficient documentation:

– Good documentation provides good insight into the detection setup and defines the criteria for false positives.

– Poor, vague documentation or a poorly documented framework results in overwhelming the monitoring mechanisms with alerts.

Detection engineering methodology (DEM)

The Detection engineering methodology (DEM) provides a simple guide on how to approach the development of an effective detection system. The individual steps can then be easily mapped with the Alerting and Detection Strategy (ADS).

Steps:

1. Select Target Technique
   1. AND/OR subtechnique per MITRE ATT&CK
2. Research Underlying Technology
   1. Get initial info from ATT&CK – TTP description, links, other resources
   2. Choke points
   3. Process deyails, operators
3. Proof of Concept Malware Sample(s)
   1. Get sample, tools or script etc.
   2. Run PoC simulation
4. Identify Data Sources
   1. Consult MITRE website for data sources
   2. Create data model
5. Build the Detection
   1. Final detection data model
   2. Identify event ID
   3. Specify target process
   4. Pivoting to investigation

Alerting and Detection Strategy (ADS)

The Alerting and Detection Strategy (ADS) concept was published by PALANTIR in 2017 and the original can be found here.

Based on Palantir, the ADS framework “helps us frame hypothesis generation, testing, and management of new ADS”.

The former ADS framework by Palantir contains the following sections:

1. Goal
2. Categorization
3. Strategy Abstract
4. Technical Context
5. Blind Spots and Assumptions
6. False Positives
7. Validation
8. Priority
9. Response
10. Additional Resources

Custom ADS Framework with added parts by DCG420:

1. Goal
2. Categorization
3. Strategy Abstract
4. Technical Context
5. Blind Spots and Assumptions
6. False Positives
7. Validation
8. Priority
9. Response
10. Additional Resources
11. The detection rule (SIGMA, Generic rule)
12. ACD elements use for Blind spots

For better documentation we added parts for:

11. The detection rule (SIGMA rules, Generic rules) – to maximize the portability of the rules, we chose the SIGMA universal format, which provides a simple conversion to the SIEM language found in the defender environment.
12. ACD elements use for Blind spots – ACD elements correspond to Engage ID according to MITRE Engage.

The practical application of this custom methodology will be discussed in future articles.

Sources:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma

Custom detection engineering framework

Cílem našeho custom framework (metodologie) je usnadit správu dokumentace a kritických požadavků pro efektivní funkci detekce (detection engineering).

Problém nedostatečné dokumentace:

• Dobrá dokumentace poskytuje kvalitní vhled do nastavení detekce a definuje kritéria pro false positives.
• Špatná, vágní dokumentace nebo nekvalitně dokumentovaný framework má za následek zahlcení monitorovacích mechanizmů alerty.

Detection engineering methodology (DEM)

Kroky (v ENG):

1. Select Target Technique
   1. AND/OR subtechnique per MITRE ATT&CK
2. Research Underlying Technology
   1. Get initial info from ATT&CK – TTP description, links, other resources
   2. Choke points
   3. Process deyails, operators
3. Proof of Concept Malware Sample(s)
   1. Get sample, tools or script etc.
   2. Run PoC simulation
4. Identify Data Sources
   1. Consult MITRE website for data sources
   2. Create data model
5. Build the Detection
   1. Final detection data model
   2. Identify event ID
   3. Specify target process
   4. Pivoting to investigation

Alerting and Detection Strategy (ADS)

Na základě Palantir rámec ADS „nám pomáhá vytvářet hypotézy, testovat a spravovat nové ADS“.

Původní rámec ADS od Palantir obsahuje následující části (v ENG):

1. Goal
2. Categorization
3. Strategy Abstract
4. Technical Context
5. Blind Spots and Assumptions
6. False Positives
7. Validation
8. Priority
9. Response
10. Additional Resources

Custom ADS Framework s přidanými částmi od DCG420:

1. Goal
2. Categorization
3. Strategy Abstract
4. Technical Context
5. Blind Spots and Assumptions
6. False Positives
7. Validation
8. Priority
9. Response
10. Additional Resources
11. The detection rule (SIGMA, Generic rule)
12. ACD elements use for Blind spots

Pro lepší dokumentaci ADS jsme přidali části pro:

11. The detection rule (SIGMA rules, Generic rules) – pro co největší přenositelnost pravidel jsme zvolili SIGMA universal format, který je poskytuje jednoduchou konverzi do jazyka pro SIEM, který se nachází v prostředí obránce.
12. ACD elements use for Blind spots – ACD elementy odpovídají Engage ID dle MITRE Engage.

Praktickému využití této custom metodologie se budeme věnovat v dalších článcích.

Zdroje:

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://engage.mitre.org

https://attack.mitre.org

https://github.com/SigmaHQ/sigma