Incident Response is the action that you take to restore the ability to deliver organization business service. It is also known as IT incident, computer incident, or security incident. The main objective of the Incident Response is to handle the situation in a way that restricts damage and reduces recovery time and costs. An organization uses the incident response to respond and manage the cyber-attacks.

Incident Response

Source: researchgate.net

INCIDENT RESPONSE CHALLENGES:

  1. Incident Detection is more difficult:
    Incident Response occurs in many different ways, which makes their identification more difficult. Like an un-authorized access to the resources of sensitive data, discrepancies in outgoing network traffic, configuration alterations and many other incidents go unnoticed.
  2. Threats are more complex and difficult to understand and analyze
    Incident response requires a vast range of skills, which include static and dynamic malware analysis, reverse engineering skills and forensic knowledge. In current situation, organizations are facing problem in finding the right experienced analyst, who can perform these complex operations.
  3. Alerts & incident volumes continue to increase steadily every year.
    On an average, every organization receives nearly 17000 alerts in a week, but most of the companies do not spend much time investigating these alerts. Many organizations also face challenges to optimize and prioritize the alerts.

The security teams detect these threats in real-time, manages incident response and performs forensic investigation at various points on the network.

SIEM solutions like ArcSight and Splunk enable analysts to gain a wide understanding of threats in their environment. This enables them to optimize the triage and remediation. Also speeds up the detection thus reducing the incident response time.

SIGMA is an open standard platform which defines the detections. It enables the re-use and sharing of analytics across various organizations.

SIGMA:

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner for SIEM system. This format is very flexible, easy to write and applicable to any type of log file.

Source: owasp.org

Why SIGMA:

  • Sigma supports several SIEM tools like Elasticsearch, IBM QRadar and Splunk. It is intended to handle log files similar to Snort which is for network traffic and YARA for files.
  • It enables analytics to re-use and share across the organizations.
  • High level generic language for analytics
  • The most reliable method such as solving logging signature problem
  • Plain text YAML files
  • Easy Schema

Supported Formats:

  • Splunk
  • QRadar
  • ArcSight
  • Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana)
  • Logpoint

Rule Format:

These rules specify detection signatures, which describes the searches on log data in generic form. Each rule specifies a set of conditions that are required to satisfy the detection condition.

Rule Format

Components:

The following section explains the component attributes.

  • Title (Attribute: title): A title describes the detection rules.
  • Rule Identification (Attributes: id, related): Globally defined sigma rules that are based on a unique identifier in the id attribute.
  • Description (optional) (Attribute: description): This section, describes about the rule and malicious activity.
  • References (optional) (Attribute: reference): Provides a source of information in order to derive the rule.
  • Author (optional) (Attribute: author): The author of the rule.
  • Log Source (Attribute: logsource): This section describes the log source definition from the sigma rule.

It further contains 3 types of attributes that are discussed in the below section.

  • Product: Describes the product to match all the rules.
  • Service: It should be restricted to events where the field names are set to the product logs.
  • Category: This attribute allows you to select all log files that belongs to group of products.
  • Detection (Attribute: detection): In this section, the search values in specific fields of log data are listed in selections.
  • Condition (Attribute: condition): These selections are linked in a condition.
  • Level (Attribute: level): It describes the severity of matches, may be used for filtering the rules.

Generating SIGMA rule for CVE-2009-3898

Vulnerability Analysis:

Nginx is vulnerable to “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal”). Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Nginx before 0.7.63 and 0.8.x before 0.8.17, allows directory traversal and does not properly validate the directory traversal characters (../), an attacker can use these characters to move or copy files to different destination. Nginx enables WebDAV component that has permission to use the COPY and MOVE methods. This attack requires WebDAV “upload” permission.

We have downloaded the required version from here.

Now let’s get back to the detection through log analysis and below is the access log from the vulnerable version of 0.7.16.


127.0.0.1 - - [20/May/2020:10:03:54 +0530] "COPY /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" 

127.0.0.1 - - [20/May/2020:11:59:16 +0530] "MOVE /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"

And the error log from the fixed version of 0.7.17


2020/05/20 13:51:31 [error] 18762#0: *5 client sent invalid "Destination" header:
"http://localhost/../var/www/abc.html", client: 127.0.0.1, server: localhost, request: "COPY /index.html HTTP/1.1", host: "localhost"

2020/05/20 13:52:59 [error] 18762#0: *6 client sent invalid "Destination" header: "http://localhost/../var/www/abc.html", client: 127.0.0.1, server: localhost, request: "MOVE /index.html HTTP/1.1", host: "localhost"

From the above fixed and vulnerable logs, we can conclude the detection patterns as follows.

  • In this vulnerable section, the request does contain “COPY” or “MOVE” methods with 204 response code.
  • In this fixed section, the error log contains following message. ‘client sent invalid “Destination” header’

This is the key phase where the analysts can find difficulty to define the customized rules for any SIEM tools. Each SIEM products contain different signatures, so a generic signature needs to be written as a common rule for any SIEM tool. In such cases, we can use Sigma to define the rules for both fixed and vulnerable detection as a single pattern.

We have written the Sigma rules based on our above detection. Here, in our research, we will use the Sigma format to describe the detection in the YAML file.

Sigma Rule for CVE-2009-3898

 
title: CVE-2009-3898 Exploitation Attempt
id: cf98b0cf-0b0c-4af6-bd28-6cefabd58cf8
status: experimental
description: Detects the exploit attempt for Path Traversal Vulnerability
references:
  - https://www.exploit-db.com/exploits/9829
author: Loginsoft Research unit
date: 2020/05/27
logsource:
  product: nginx
  category: webserver
detection:
  selection:
    sc-status: 204
    cs-method: 
      - 'COPY'
      - 'MOVE'
    c-uri: '*index.html'
  keywords:
    - 'client sent invalid "Destination" header'
  condition: selection or keywords
falsepositives:
  - Unknown
level: medium

After writing the Sigma rule, we can use either uncoder or Sigmac to convert from the sigma rule to any other SIEM tool format.

  • uncoder is an open-source tool for SIEM search query language conversion.
  • Sigmac is a python command-line tool that performs the conversion from sigma rule to the target SIEM format.

In this section, we have used the uncoder tool and converted the rule from Sigma to Splunk query as below.

Splunk Query for CVE-2009-3898

 
((sourcetype="nginx:plus:access" uri_path="*index.html" status="204" (http_method="COPY" OR http_method="MOVE")) OR (sourcetype="nginx:plus:error" "client sent invalid \"Destination\" header")) 

Upon executing the above query, we will get the following the results.

Splunk Query

Challenges in Rule Conversion

  • Usage of different field names
    Field name mapping from sigma rule to SIEM specific names.
  • Rules refer to subsets of values which are environment-specific
    Use place holders

How is SIGMA useful in Incident Response?

Currently, there is a lack of a standardized description format to define the log format because there are several heterogeneous environments. SIGMA renders the rules into the queries that can be transformed into the equivalent rule for Splunk, ArcSight and many others.

The rule format is very flexible, easy to write and applicable to any type of log file. The main objective of SIGMA is to provide a free structured form in which developers or analysts can describe their detection methods and make it sharable.