Creating Content using Threat Intelligence

The ContraForce Security Engineering Team creates detection rules using open-source references as well as known documented threats. Tools such as the MITRE ATT&CK framework help us better protect and map out our end users' security coverage.

MITRE ATT&CK Framework

What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is an extensive database of documented attacks and techniques performed by malicious actors. MITRE classifies each attack type and the processes used so that cybersecurity professionals can have a shared language to reference when discussing attacks.

Why use MITRE?

The MITRE ATT&CK framework is preferred over other frameworks due to its extensive detail and specificity when it comes to the various methods of attack. Not only does it cover attack vectors such as brute forcing, but it also includes the different types of brute forcing, something no other framework mentions. MITRE also extensively covers the recovery and aftermath portions of an attack. It’s neighboring framework (also developed by MITRE) D3FEND aims to map out various ways to protect an organization’s underlying infrastructure from various techniques used by threat actors. By leveraging these, ContraForce is able to quickly get an understanding of an environment’s security posture and determine where additional protection is needed.

Open-Source Intelligence

The following sources are used when creating content:

By using these sources, we ensure that the ContraForce SecEng team is up to date on the ever-changing and ever-evolving cyberthreat landscape our users face on a daily basis.

Sigma Rules

What are Sigma rules?

Sigma rules are open source developed security content that is documented and described in such a way that makes it compatible with every single piece of data source telemetry. The main goal of sigma rules is so analysts and engineers have a common way to share intelligence in an obfuscated format so that others can take the data and apply it to their given context. This eliminates any vendor-specific blocker for sharing security content with other cybersecurity professionals.

How do Sigma rules keep us up to date?

Similar to the other open-source feeds listed above, Sigma rules are frequently updated for quality and effectiveness. These rules are widely used and frequently receive updates to ensure a high quality standard. The latest threats are almost always going to be documented within these rules as well, which allows us to stay ahead of trends seen in recent attacks.

Vendor Best Practices

Oftentimes, vendors publish their own best practices and security intelligence inside of their documentation. Vendors often list queries or event types that can be used to create security analytic rules. The ContraForce SecEng team can then write analytic rules in Azure Sentinel that cover common security use cases as well as custom requests from the end-user.

For example, Okta provides a list of queries to detect potentially suspicious activity. This is useful, because it allows our content to be centralized around the vendors themselves rather than just strictly ContraForce.

MITRE Mapping with Caldera and Atomic Red Team

Caldera and Atomic Red Team are two of the best adversary emulators that allow security professionals to simulate an adversarial attack on a provided machine. This allows for attack specific logging and events to surface so that they can be captured into a rule for future protection.

When new techniques are developed, these emulators are often the only method of proper evaluation.

Customer Driven

Our customers are often the best source of data when it comes to creating content. We get requests for custom rules that can be created for specific customers, but often have use-cases that apply to all customers. Custom rules are valuable because it can improve the security posture of the customer that requested the rule as well as other customers that may be using the same data source.

We also review in detail our customer’s logging data to see if any additional content or coverage can be created or leveraged within our analytic rule capabilities. Viewing specific events and cross correlating with vendor documentation allows us to “view the bigger picture“ and in essence tell a story regarding the series of events that took place. This also bolsters our knowledge for future explanations and incident investigations.