Skip to main content

4 posts tagged with "blue team"

View All Tags

· 6 min read
Jose Luis Sánchez Martínez

TL;DR​

I have created a new script to automate the ingestion of IOCs in MISP in object format. This script also automatically consumes information from VirusTotal to enrich the IOCs in case of exist in VT. However, the most interesting thing about this script is that it is able to automatically obtain the Sigma rules and MITRE techniques of the IOCs that we want to store in MISP, and add this information as Galaxies.

The stored galaxies are at the event level and at the object level, i.e. the event will have the total number of galaxies related to Sigma rules and MITRE techniques. Each object will have only the galaxies related to its behavior.

All you need to use the script is a VT API Key and to have the Sigma and MITRE galaxies in your instance. Since 2022-11-28 the Sigma galaxy is embedded in the default version of MISP. In case you don't have it, I recommend you to read this blog and use the script I made to create the sigma rules galaxy.

· 4 min read
Jose Luis Sánchez Martínez

Version 2.0

During the last weeks, I have been working on the script to improve it and to allow in this new version that I have recently published, the possibility to add relations in the galaxy with another already existing MITRE ATT&CK. This, among other things allows to know in a quick and visual way which sigma rule is related to which technique within MISP.

Suppose you have an event in MISP that is mapped to 5 MITRE ATT&CK techniques. Now, by clicking on those techniques and expanding the relationships, you will be able to see if there is any sigma rule that can cover any behavior of the expanded technique.

· 7 min read
Jose Luis Sánchez Martínez

A threat intelligence analyst's brief

In the threat intelligence world, we are continuously analyzing threat actors and threats in general that impact different sectors. From a threat intelligence analyst's point of view, it is important to know the motivations, objectives, TTPs and the overall context of the intrusion.

The results produced by these analysts are usually well defined. Frequently, a report is generated with a series of sections, where some of them are usually conclusions, recommendations, countermeasures.... Perhaps the least fun part for a threat intelligence analyst.

Also, in many cases additional products are generated and sent along with the report, such as STIX files with the analysis information, CSV files with IOCs, YARA rules and others. Another thing that most threat intelligence teams do is to dump all the information from the report into MISP including TTPs, IOCs and context information to help categorize, filter and relate the events.

From a threat intelligence point of view, our work should stop there. However, when it comes to generating a good security strategy, it is important to be able to map the techniques and behaviors identified in each intrusion with different types of rules, whether they are network or behavior-based endpoint rules.

· 11 min read
Jose Luis Sánchez Martínez

TL;DR

Previous blogs:

This is the last entry related to TIBER-EU and TIBER-ES. So far we have seen the processes related to Threat Intelligence and Red Team. Now it is the turn to learn about the Blue Team process, which, unlike the last two, is the Entity Blue Team itself. This team can be outsourced or belong to Entity itself, and its objective is to detect and defend the Entity business in case of an attack.

During the implementation of TIBER-EU, the Blue Team is not aware that any penetration test will be performed, so they must be able to detect the attacks performed by the Red Team provider. Subsequently, they must generate reports relating the Red Team's attacks to the Blue Team's findings.

As I did in the previous case, I have developed some cases in the The Hive tool so that blue team teams can import them quickly and know the different actions that they have to carry out, thus allowing the use of the Task logs to document and attach everything that they carry out on the test.

The developed cases contemplate all the phases that TIBER-EU mentions in its documentation, in addition I have also included good practices and ways of facing some phases.

The fact of using The Hive is due to the following reasons:

  • Allows to merge cases
  • Can be integrated with MISP
  • Can be integrated with Cortex and its analyzers
  • Case templates can be created

GitHub project: https://github.com/jstnk9/TIBER-Cases