OSCD Sprint #2: Simulation, Detection & Response

It's been a while since the First OSCD Sprint, dedicated to Threat Detection. This time we will focus on multiple areas of practical CyberSecurity. You can find a detailed backlog here. Below is a general description of the sprint and areas of work.


- Improve MITRE ATT&CK coverage of open source Sigma rules and Atomic Red Team tests
- Improve cross-coverage of Sigma rules and Atomic Red Team tests
- Improve ATC RE&CT coverage of open source TheHive Responders

The plan

1. Two weeks-long sprint starts October 5, 2020
2. Participants pick up tasks from the backlog or contribute other analytics
3. Participants use special guideline which will help to get familiar with the workflow
4. Results will be collected, reviewed, and pushed to projects' repositories on GitHub

Threat Detection

There is the Sigma project — Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules.

With time, the Sigma project ruleset has become the biggest (more than 600 rules) and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (i.e. Windows DNS Server RCE CVE-2020-1350 exploit), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK framework.

Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It's a good time to do so if you haven't yet.

There are some critical gaps in the Sigma ruleset and plenty of decent publicly available Threat Detection analytics that haven't been added to the ruleset yet. That's what we decided to focus on. A detailed backlog on Threat Detection could be found here.

Adversary Simulation

There is the Atomic Red Team project — small and highly portable detection tests based on MITRE's ATT&CK. It allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries.

With time, Atomic Red Team tests set has become the biggest and the most mature community-driven Adversary Simulation tests set.

There are atomic tests that are not covered by Sigma detection rules. This means that the community has a way to automatically simulate adversarial techniques but no rules to detect them in the public repository of the Sigma project.

At the same time, there are Sigma rules that are not covered by Atomic Red Team tests. In other words, the community has a way to detect adversarial techniques but no tests to simulate them in the public repository of the Atomic Red Team project.

Here is the actual Atomic Red Team and Sigma projects' coverage of the ATT&CK framework. Techniques that are covered by Sigma rules highlighted in blue color, Atomic Red Team tests - in red, both - in purple (click to expand):

Microsoft Windows
Apple macOS

That's what we decided to focus on. A detailed backlog on Adversary Simulation could be found here.

Incident Response

There is the TheHive — the most powerful open source and free Security Incident Response Platform. It has a module called Cortex — Observable Analysis and Active Response Engine. It operates by two key entities, called Analyzers and Responders — simple Python scripts that utilize API to communicate with 3rd party systems and execute some actions:

- Analyzers provide the ability to analyze observables (i.e. IP address, Domain name, File hash etc) via Cyber Threat Intelligence platforms (i.e. MISP), analysis systems (i.e. Cuckoo Sandbox) and lookup services (i.e. VirusTotal)

- Responders provide the ability to execute some Response Actions (i.e. block domain name on a DNS server, block IP address on a firewall etc) by executing these actions with Python scripts

With time, the community developed about 150 Analyzers, which provide the ability to automatically analyze most of the observables types by most of the existing platforms, systems, and services.

For some reason, it didn't happen the same way with the Responders — there are only 20 of them, and they are far away from covering most common cases with common systems.

Here is the actual TheHive Analyzers and Responders coverage of the RE&CT framework. Analyzers are belonged to the Identification stage, while Responders are mostly to the Containment, Eradication, and Recovery stages:

Current coverage is green, possible is yellow (click to expand)

That's why we've decided to focus on the TheHive Responders development this time. A detailed backlog on Incident Response could be found here.


- 287 new Sigma rules were added in total. 242 added and 305 updated by OSCD participants (Pull Request). 45 rules added by OTR Community (Pull Request);
- 23 new Atomic Red Team tests, 3 new artifacts, and 7 updated tests (Pull Request);
- 24 new TheHive responders, including Palo Alto NGFW, Duo Security, Gmail and Azure Active Directory (Pull Request).


(stars highlight individuals that also participated in a previous sprint)

🇩🇪 Thomas Patzke, @blubbfiction (Sigma Project)
🇷🇺 Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC)
🇷🇺 Mikhail Larin (Jet CSIRT)
🇷🇺 Alexander Akhremchik (Jet CSIRT)
🇦🇪 Victor Sergeev, @stvetro (Help AG)
🇷🇺 Ilyas Ochkov, @CatSchrodinger (Independent Researcher)
🇵🇱 Jakob Weinzettl, @mrblacyk (Tieto SOC)
🇷🇺 Denis Beyu (Independent Researcher)
🇷🇺 Kirill Kiryanov (PT ESC)
🇷🇺 Anton Kutepov (PT ESC)
🇷🇺 Timur Zinniatullin, @zinint (Angara)
🇵🇱 Mateusz Wydra, @sn0w0tter (Relativity)
🇷🇺 Daniil Yugoslavskiy, @yugoslavskiy (Cindicator SOC)
🇷🇺 Gleb Sukhodolskiy (Independent Researcher)
🇺🇸 John Lambert, @JohnLaTwC (Microsoft)
🇷🇺 Demyan Sokolin, @_drd0c (BI.ZONE SOC)
🇫🇷 Nabil Adouani, @nadouani (TheHive/StrangeBee)
🇺🇸 Roberto Rodriguez, @Cyb3rWard0g (Open Threat Research)
🇺🇸 Jose Rodriguez, @Cyb3rPandaH (Open Threat Research)
🇺🇸 Nate Guagenti, @neu5ron (Open Threat Research)
🇺🇸 Greg Howell (Open Threat Research)
🇺🇸 Patrick St. John (Open Threat Research)
🇷🇺 Alexander Sungurov (Yandex)
🇺🇸 Sven Kutzer, @SvenKutzer (Cisco)
🇺🇸 Gyorgy Acs, @AcsGacs (Cisco)
🇦🇺 Jai Minton, @CyberRaiju (Independent Researcher)
🇷🇺 Igor Fits (Jet CSIRT)
🇹🇷 Semanur Guneysu, @semanurtg (DESTEL / SOC)
🇺🇸 Craig Young, @craigtweets (Tripwire)
🇷🇺 Tim Ismilyaev, @aestimi (Mana Security)
🇮🇳 Kiran kumar, @iamkirankmr (Independent Researcher)
🏳️ Eli Salem (Independent Researcher)
🇵🇱 Bartlomiej Czyz, @bczyz1 (Independent Researcher)
🇮🇳 Omkar Gudhate @OG0Sec (Independent Researcher)
🇺🇸 Ryan Plas, @WordPlas (Stage 2 Security)
🇺🇸 Oleg Kolesnikov (Securonix)
🇹🇷 Furkan Çalışkan, @caliskanfurkan_ (Ziraat Teknoloji)
🇷🇺 Dmitry Uchakin, @Dmitry_U4 (Kaspersky Lab)
🇨🇦 Avneet Singh, @v3t0_ (Independent Researcher)
🇷🇺 Agro, @agro_sev (Independent Researcher)
🇷🇺 Vasiliy Burov, @vasebur (Quest)
🇨🇦 Mangatas Tondang, @tas_kmanager (Independent Researcher)
🇺🇸 Jaime Flores, @remotephone (Independent Researcher)
🇹🇷 Ensar Şamil, @sblmsrsn (Independent Researcher)
🇦🇺 Zach Stanford, @svch0st (CyberCX)
🇳🇱 Sander Wiebing (NFIR B.V.)
🇦🇺 Jonathan Cheong (Independent Researcher)
🇹🇷 Ömer Günal, @ogunal00 (Independent Researcher)
🇪🇸 Alejandro Ortuno, @aomanzanera (Independent Researcher)
🇷🇺 Yuliya Fomina (PT ESC)
🇷🇺 Alexey Lednyov (PT ESC)
🇷🇺 Ivan Dyachkov (PT ESC)
🇷🇺 Konstantin Grishchenko, @Z3Jpa29z (Independent Researcher)
🇷🇺 Maxim Konakin (Independent Researcher)
🇷🇺 Nikita Nazarov, @NikitaStormwind (IZ SOC)
🇷🇺 Natalia Shornikova (IZ SOC)
🇺🇸 John Tuckner, @tuckner (Independent Researcher)
🇫🇷 Grégoire Clermont, @gregclermont (Independent Researcher)
🇺🇸 Hare Sudhan Muthusamy, @@0x6cdev (Independent Researcher)
🇦🇹 David Straßegger, @Strassi7 (Independent Researcher)
🇺🇸 Daniel Weiner, @DanielWeiner93 (Independent Researcher)
🇧🇷 Jonhnathan Ribeiro, @_w0rk3r (Independent Researcher)