The rules part of Sigma are until now generated manually and need a thorough development to exclude false positives. Sigma, on the other hand, gives us a more robust detection method at the cost of speed. Using these indicators wisely is not straight-forward and often ends up being implemented in a “Spray and Pray” approach.Īs one can easily guess, this approach often leads to many false positives.Įither the provided intelligence is incorrect (you would be surprised by the amount of times Google’s DNS is flagged as an IoC), or the detection logic is missing additional context.Īlthough the former problem can be fixed by ensuring your MISP community “thinks twice”, the latter is more complex to handle.Īs an example, given a malicious shortened URL (protocol, domain, path and parameters) reported by MISP, it would make no sense to generate alerts if the only IoC observed on an endpoint is the URL shortener’s domain.įigure 1: A schema of individual MISP attributes generating false positives This constant feed is extremely valuable to rapidly spread threat intelligence among the community. MISP provides tons of Indicators of Compromise (later referred-to as “IoC”) shared as a constant feed. The projects are not related at all and even their usage targets different use-cases. Where MISP has been focused on sharing threat intelligence, Sigma has been focused on very advanced and fine-tuned detection. This post will introduce the Sigma Importer – a way of generating thousands of qualitative vendor-agnostic Sigma rules from threat intelligence feeds such as MISP.įor the impatient ones like me, you can directly skip to the presentation as well as the project itself. Throughout the years, my current employer NVISO has benefited from many similar open-source projects and today I have the pleasure to share back. Or Sigma, another open-source project which provides a generic and open signature format to share vendor-agnostic detection logic. Readers might recognize projects such as MISP, formerly known as Malware Information Sharing Platform, which enables organizations to share threat intelligence The open-source community has brought us many solutions to problems which arose throughout the constant fight with threat actors.Īlthough some projects are less known, some are widespread and actively used within the infosec community. ![]() Whether it is for general data-sciences or more specifically for threat intelligence, collecting data is hard but using it wisely is even complexer. TL DR - I open-sourced Sigma Importer, a way of generating thousands of qualitative vendor-agnostic Sigma rules from threat intelligence feeds such as MISP. Automated Sigma Rule Generation from MISP Threat Intelligence
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |