Open Sourcing Cyber Defense to Level the Playing Field
Infoblox sponsored this post.
There were more reported vulnerabilities (18,358 reported) in 2020 than in 2019 continuing a multi-year trend, where cyber hazards continued to surface despite the stream of security innovations companies brought to market. Why — if we have ample security products and skilled defenders who can optimize security postures — do the breaches keep coming?
An answer is emerging in open sourcing security to break up the silos inherent in the traditional incident response model. As John Lambert, the distinguished engineer who leads the Microsoft Threat Intelligence Center, noted in his Security Analyst Summit keynote, “Defenders face the same threats but defend alone.” With companies taking an average of 8 months to detect and contain a breach, the “defend apart” model exacerbates the damage attackers can do.
The convergence of cloud-based open source tools makes it possible to pool together security expertise from a diverse community of novices and specialists, raising the bar for all. Lambert coins this concept “the GitHubification of InfoSec.” This “defend together” model open sources threat insight, actionable analysis and repeatable results by enabling researchers, product engineers and government agencies to efficiently share their discoveries and techniques with the entire community on the public internet.
Leveraging open source tools such as MITRE ATT&CK, Sigma and Jupyter allow defenders to close the asymmetry gap with attackers by sharing threat actor profiles, attack techniques and remediation at the speed and scale of the cloud.
Using GitHubification to Prevent the Next Big Attack
I followed up with Lambert on using GitHubification to prevent the next big attack and generating critical mass to move security to a more proactive model.
Lambert explained that malicious activity like the TrickBot infections could potentially be anticipated and their infection rates reduced if the defender community and associated security vendor industry were sharing the investigation shortcuts.
“Those shortcuts can help security operations centers (SOCs) and analysts detect precursor activities earlier in the killchain and figure out what is happening in their environments. They eliminate the time and expertise needed to re-create security tooling, connect to relevant data and reduce false positives in a way that would significantly accelerate an investigation,” he added.
In Lambert’s view, the CISA TrickBot alert from October is an example of open sourcing security. Providing indicators of compromise (IOCs) in an alert is good, but building good detection for items like command lines are more challenging. An analyst without significant experience needs to invest a significant amount of time determining what is the right approach to take to detect the malware associated with a command line string. Then, they need to determine how to analyze each element of the actor’s command line string to try to guess which element is important.
“Security vendors like VirusTotal (owned by Alphabet) and JoeSecurity are using Sigma rules to shorten the learning curve and get high fidelity analytic data more rapidly,” Lambert noted. Sigma is a generic and open signature format that allows a defender to describe relevant log events in a straightforward manner. Additionally, detections can be built to identify malicious activity in those logs. Sigma has translators for those detections generated by various security tools that defenders use in investigations.
“A Sigma rule speeds and simplifies the analytic logs associated with the IOCs and gives security teams an “easy button” to implement that gets useful “hits” in their data to start investigating faster,” said Lambert. In the case of the CISA alert, security teams could have used Jupyter Notebook to bundle IOCs, associated rules, and any data connectors made public by the community to accelerate the collection of high fidelity logs and automate analysis of that information to more quickly draw conclusions.
Using Open Source Tools to Accelerate Investigations
According to Lambert, open source defender or analytic tools can accelerate investigations and speed time to detection or mitigation by automating analysis over large data sets and simplifying otherwise manual processes for hunting. He provided a couple of examples of how this could happen.
“In a matter of minutes, Florian Roth extracted a new ransomware doppelgänger variant, created a new rule to detect the malware, ran it in his SIEM, used that to build a YARA rule that matches on the process command line and blocks the threat, then posted the YARA rule to GitHub. That enabled others to run that YARA rule on their own SIEM and immediately block the threat.”
Similarly, when Microsoft’s MSTICPy Jupyter Notebook supported VirusTotal lookups to improve a hunter’s ability to connect to the most popular datasets, the VirusTotal team took notice and contributed a new Python module into the open source code repo — enabling easier access to the latest version of their API for MSTICPy users.
“This integration would have been less likely to occur if Microsoft had never open-sourced the MSTICPy code,” noted Lambert. As a result, SOC analysts around the world, who increasingly rely on Jupyter notebooks to automate and speed investigations, now have a connector to VirusTotal, one of the most popular data sources.
Lambert emphasized that these open-sourced contributions enable better and faster integrated triage of alerts and enable the full power of the VirusTotal API within MSTICPy Jupyter Notebooks. They also lower the learning curve for newer analysts by giving them a guide that walks through how various analytic tasks occur, allowing them to play with the underlying components, while giving them learning opportunities within their own data and using their own tools.
Why Open Source Size Matters
For a defender community to get enough value from open source technique/tool sharing to prevent the next big threat, it requires enough people contributing and adopting the shared information. It also requires that the key ingredients of the threat techniques be clearly defined and adopted by the right set of tools. Adoption will largely depend on three communities embracing a common taxonomy: individual researchers building and sharing actionable analytics that translate into defensive action, security vendors linking that defensive action to detections that tie to understood threats, and the underlying common taxonomy that grows and expands as new threats evolve.
So how is that achieved? Lambert explained that broad contribution and adoption is achieved by wrapping the tools, techniques and integrated security products around a common and easy-to-integrate framework like MITRE ATT&CK. Centralizing the taxonomy of threats is a critical centerpiece that allows researchers involved in investigations to drive toward crafting and sharing their hunting techniques (e.g. YARA or Sigma rules) to support or expand on that framework.
From that foundational data, other tools (e.g. Jupyter Notebooks and vendor-specific data connectors) can tie back to a common taxonomy to demonstrate coverage and speed investigation outcomes through integrations. Those notebooks and connectors can then be shared with the broader community to drive better prevention against advanced threats.
Open sourcing cyber defense is an imperative that can enable a collective defense for us all. The more easily defenders can recognize the common taxonomy, investigative tools, and techniques, the faster they can anticipate and possibly prevent the next big threat.
Infoblox sponsored this post.
Feature image via Pixabay.