BSides PDX 2023 - Using Sigma as a Gateway to Detection Engineering (Micah Babinski)

[Music] going to get started now uh using Sigma as a gateway to detection engineering thanks for coming last Talk of the day we're almost there my name is Micah babinsky really excited to talk with you all about Sigma detection engineering and all that good stuff I love how Joe in his opening keynote talked a little bit about his personal background I was not a skateboarder or a punk rocker uh early on but um just a little bit about me I worked in I didn't start in security I worked in the geographic information systems or GIS industry for good 12 years or so before coming into security I went went used to go to a GIS conference In This Very Room every year GIS in action and uh a little bit more kind of odd like hobby you get into as a kid is I played the bag pipes well I play the bag pipes from 1998 until present that's a picture of me up there is a young bagpipe student probably early 2000s or something so uh um anyways but today and what I'm here to talk about with you now is more geared towards my work um where I'm a principal detection engineer at amre and um uh other things that I I love to talk with people about um networking is uh I'm always up for trying some new recipe or baking something um my kiddo was just became obsessed with gingerbread men so I just like we made some gingerbread men I just got those coming out ever covering the countertop basically but um yeah so kind of my cyber security journey I think it's worth sharing about um I I think maybe I need to just I'm the kind of person who just needs to change careers every 10 or 15 years so I think next I'm going to go for hiking guide um hopefully you know in my in my early 50s I'm still up for that um but in terms of cyber security I was working GIS kind of not feeling too hot on it um after a while and the pandemic was rolling was was rearing its head and so I had been interested in security since I work next door to the infos team at city of Portland where I used to work and I came through a a boot camp I'm not going to go into you know opinions on boot camps versus other ways of learning but it worked for me um after a few months of struggle i' found my way into my foot in the door as a sock analyst and then from there I went to more kind of generalized security analyst role doing some auditing some uh some fishing test love that last presentation um and uh security awareness training good stuff like that but really liked monitoring the logs and I really liked uh researching threats that were coming out you know log 4J was happening as I was working there and I really liked learning about these new threats and seeing oh can I find these in my logs can I find something weird in my logs um and when I at that point which was not very long ago I did not even know what detection engineering was um but that's been my specialty for the last couple of years I love it and I I was telling someone before I feel like I've struck gold I feel like detection engineer is the coolest most fun job in this industry of course I haven't had too many jobs in this industry so um but but in terms of my involvement with Sigma which is I'm going to be talking about with you today I got my first Sigma rule contributed December 2022 so less than a year ago so it's um it's it's been very exciting to to be a sigma contributor real quick show of hands who here has been a sigma user in any way like read a rule used a rule awesome okay not too many people awesome that's that's great um so before I roll in like detection engineering what is it this is my own mind map for detection engineering um and hopefully you can read that okay but these are the key components that I think I cannot be a good detection engineer without this stuff up here so knowledge of your threats um you know working with your red team and your pent testers to figure out what they're using reading those threat Intel reports and then you know you need some engineering uh uh capability within your organization or your team to know about okay how do you use the detection and response platforms the Sim products that you might use um you know maybe you're trying to do some detection is code I don't know if anybody caught the detection is code Workshop earlier today from Ken Weston I did that and it was fantastic um there's also uh how do you validate and optimize your alert rues so you're getting the most value not creating extra work for your sock analyst you don't want your sock to be uh to be angry at you you want them to be working with you um and I love how this conferences is focused on the community and organizational culture that builds across the security uh industry and also the customers that we serve so knowledge sharing um how do you you know access open sources of detection logic and uh get feedback integrated everyone from like the ceso on down to the junior sock analyst as a detection engineer you have to be open to that feedback and seeing all of those people as your customers and then there's the organizational knowledge that's key so whatever company or organization you're at what is the business technology environment what apps and software are they using that's you're going to need to know how that works um on some level so that you know you know how your detection capability can extend and cover those things so that's my quick rundown this is not an official definition this is just like my own like mic's quick rundown of like what he thinks detection engineering is and I'm still learning um as you can tell CU I'm still pretty new at this um but you know going back to early my career as like uh security which again just a couple years ago working as a sock analyst you know you learn some really cool tools uh if you're doing labs and stuff um you know uh volatility wire shark malware analysis for me it was just a lot of logs I'm guessing if any of you all work as a security analyst in like a junior role yeah there's just a lot of logs and so you know there's various levels of experience usually on these analyst teams some people might really know what um you know sysmon event ID3 does and tells you some people might know what uh Windows security event 4663 can tell you and what it can't some people are that's going to be like speaking you know a language they don't understand and so um as a new professional it's it's important to try to understand what those attacks look like in terms of logs which as John strand said in a one of those um uh pay what you can trainings that he offers unfortunately despite what your EDR vendor might tell you there's no single log that's like you have been hacked you know it it's on us as professionals students and Learners to figure out what are our logs telling us um and as I'm going to get to Sigma can be a powerful tool in your toolbox for doing that um how about the rules if you're working alerts you're working an alert queue you know hopefully the rule has a meaningful title hopefully there's a description that can tell you what it's looking for hopefully it will give you the log message or the event that triggered that alert Rule and hopefully you have the contextual knowledge to understand you know what else might I want to look for if I'm seeing this particular type of alert I'm going to be honest though I don't think every organization has that capability of alert rules that are meaningful impactful and give an analyst a starting point for Effective follow-on investigation um so this is just kind of some of the challenges that I ran into um story time so we had a rule at my first job and working the sock called executables in ads now maybe some of you know what ads stands for maybe some of you don't my team we just thought it was talking about like ads like advertisements You Know download something you got a drive by download and all of a sudden you got a malicious executable and we worked this alert for months thinking that and then we're doing a review and all of a sudden the guy who did our alerting our our detection rules he didn't have the title of detection engineer I don't even really think the company necessarily knew about detection engineering as a discipline again this was a couple years ago this is pretty new stuff it was like oh he started talking about it and we're like What alternate data stream like what oh oh okay sheepishly we had to all admit that we're like we thought this rule was talking about something completely different um and so understanding the context behind the alerts that you're working is important as a security analyst but as a as a as a detection engineer it's your responsibility if your analysts don't understand the alerts that you're working you're not doing your job right gosh I sound so harsh I'm not angry I swear it's a it's a privilege to be a detection engineer it's a privilege to work with analysts at all different levels of their career um and so talking about Sigma now Sigma is an open- Source uh project that I've really come to love this is the sort of like the standard answer the chat GPT answer that you get and it's it'll say it's a generic and open source log based detection format it's it's a yaml file so basically a semi-structured kind of like Json if you ever worked with Json files and it's a way of saying in a vendor agnostic uh way what are the conditions and all the properties that would lead into a detection rule so this is the definition it's it's somewhat helpful but it really focuses on this signature format a standardized generic format that you can write as a detection rule my definition goes beyond this though I think it's more than just one thing it's for me it's really three or even four things um there's the detection rule format that I just talked about but there's also an actual peer-reviewed community supported repository or like a library of detection rules that are maintained by some of the best detection engineers in the world and that are is is maintained by a community of people everywhere from students all the way up to senior people that can contribute Sigma rules and so if you're looking if you're a student or if you're early in your career you're interested in a career in special Iz in detection um that's a place you're going to want to check out both to learn and maybe hopefully to contribute um it's also a series of conversion tool so like if you have an awesome Sigma rule that's great but if you can't use it effectively in your sim or your you know your detection and response monitoring platform of choice it's not going to be that helpful and so there's these series of conversion tools called backends or plugins depending on the context you're talking about them with um and that's a key part of the project and then fourth you know we're talking about community at bsides this year so it's a community of researchers engineers and all types of people who contribute to the project and make it flourish and make it I believe one of the most valuable open source at least on the defense defensive side at least when you're talking about logs which again is analysts and and people you know a lot of a lot of our detection happens via logs um it it all this community is making is driving that and making that project successful okay so I'm going to to go in depth a little bit more on each of those Sigma components that I just listed so this is the format that I talked about this is a infographic I don't know if that's oh that's heck of grainy okay sorry um well you know I I will make these uh slides available on my LinkedIn um encourage you all to connect with me after this I'll throw it up on X as well um but this is going to have uh this is an infographic by this guy Thomas roia who wrote a book called visual thread intelligence I highly recommend you check it out his like handle is uh Frogger um but he basically breaks down all the components of a sigma rule there's a lot in here I'm just going to break break it into three key components so there's the metadata that's your title description identifier the author the the the the data about the data with with regards to this rule then there's the log source definition is this a Linux file event rule is it a uh Mac OS process creation rule is it a cloud you know Azure signin logs based rule basically defining from go from this generic format and tell your sim product or you know your output query what kind of logs are we looking at here and there's a standardized taxonomy that you can read about and learn and then um figure out how to correctly record that it's a little confusing it's one of the hardest things to learn about uh using Sigma rules um but it is uh it is important because it defines what is your input data and then there's the detection itself well that's probably the most important part actually but basically you're looking at field names add conditions values and modifiers and so that's just basically saying like uh process name equals run d32 or command line contains you know ar- a or something and so that's where you're basically saying what's the logic behind this Rule and it's a a very simple format to learn and there's a lot of flexibility in it too um when I talk about some of the newer versions of the pi Sigma project the newer codebase we'll get into a little bit more of what you can do with this but it's really cool and not hard to understand the rules repo this is a place where you're going to want to spend some time I don't if you read that a little bit but yeah there's thousands of Sigma rules they're categorized effectively in this GitHub repository if you just search for like GitHub Sigma rules it'll pop right up um they're categorized by like operating system different Cloud platforms um whether it's Network you know there's DNS rules um that covers a lot of it that I just mentioned there but it's it's nicely categorized there's rules more geared towards threat hunting too so not something you'd want to turn on in your environment but something that could be the starting point for a threat hunt um pretty useful if you want to um submit a rule if you've done some research actually you know the last presentation talking about uh you know configuring web hooks maliciously within Microsoft teams I guarantee you there's going to be some Microsoft 365 audit logs that are going to be left with certain properties that might be suspicious when you do that kind of activity I checked there's no rule in this Sigma rules repo anyone here who saw the last uh presentation or watched it on uh YouTube could recreate uh what the speaker um uh did and could attempt or probably have good success creating a brand new novel Sigma rule that could then be used by the entire community so enough about that but um you submit it there's a team who will review your poll request they'll you know they're they'll they'll they'll scrutinize it um and they'll and they'll make sure that it's a highquality rules library that can be used by a lot of different people the conversion tool so this is just a simple graphic that shows how it works you've got that generic Sigma format you put that through the sausage grinder of your Sigma converter AKA a sigma backend or plug-in and then your output is you can choose maybe elastic search Splunk um uh you know uh Panther if you saw that if you went to the detection his code Workshop it was using Panther um there's a a sigma backend in the works for pan Panther right now so there's all these different output formats that you can specify and the command on the on the on the screen there it's hard to read but it basically shows you run this Sigma convert command and then you can output whatever Target or output format you want and then you're going to get a query in that Splunk processing language um you know uh kibana query language what have you whatever that output format that you choose is it's a really cool way to um get a new rule so for the small number of people who have used sigma um maybe you saw there's a used to be a website called uncode doio that you could just get to where it was a a web page where you could paste a sigma rule in and then you could hit convert choose your output format um that's using the old Legacy Sigma code base there's a new version called Pi Sigma uh which I've been involved with it's got a smaller number of those output conversion formats smaller number of backends but it's growing um the old codebase is still you can still get to those Legacy tools but it's not really being maintained if you're interested in in uh contributing a new backend you're going to want to check out this Pi Sigma and there's a lot of um additional modifiers like let's say you want to focus your rule using IP addresses we can specify a cider range uh in the rule as one of those modifiers on your rule conditions which is pretty cool if you're trying to maybe Focus your detection towards public or private IP addresses um there's a lot of things like one modifier called wind Dash so I mentioned ar- a it's a common discovery command used by like a lot of commodity malware well if you run ARP forward SLA or you run ARP Tac a like hyphen a you get the same output and so the wind Dash modifier as you're writing your Sigma rule will basically account for those variations and it will add those conditions to the output rule so you don't have to focus on oh did I forget to put like R Pac a or it'll just handle that for you so all this is just to say that the new Pi Sigma code base if you're interested in getting involved with Sigma start there and that's if you go to their website their blog that's where they're going to um that's going to be your entry point so how I got involved with all this I was working at a job actually really near to here um just a couple blocks away from where we're sitting that we use Rapid 7 Insight IDR which is a really cool cloud-based Sim um I was interested in converting some Sigma rules into rapid 7 Insight IDR is called log entry query language so I was like oh well is there a backend for that no there was not so it turns out from my GIS years I had some pretty decent python knowledge and I set the goal of saying I'm going to create my own Pi Sigma backend for Rapid 7 Insight IDR it was about 3 four months of like some late nights some weekend work um after my kiddo goes to bed I'm working on that thing for about 3 months but then after a while I got it working and all of a sudden it was accepted and part of the sigma HQ community that was a really cool experience um and then I uh checked out if you're interested in in threat detection the Red Canary annual threat detection report they publish it every year they've got like monthly threat detection summaries and they've got all these different attacker techniques all these different types of malware and these pseudo code detections that give you these Concepts well I decided to go through that entire 2022 detection report and write Sigma rules for every single pseudo code detection that I could so all of a sudden I'm writing rules I'm I've got my own GitHub Sigma rules repository I'm starting to see blog posts so then I start my own blog posts where I'm learning about uh new threats like um this fellow uh GM was talking about uh the evolution and the way that commodity malware is delivered um in his metadata follow the metadata presentation earlier today well I was right there with him as you know you were seeing uh like tbot change from zip files to PDFs to OneNote files now they're using web dat servers to deliver malware and I'm I'm all of a sudden I'm standing up my own home detection lab with Splunk and I'm running malware samples or checking out threat Intel blogs and uh writing Sigma rules and then blogging about it and having just a ton of fun um and so that got me involved and got me so now I've got about 10 Sigma rules in that main Sigma rules repo that I mentioned and it's just a great Community it's just