Incident Response is the action that you take to restore the ability to deliver organization business service. It is also known as IT incident, computer incident, or security incident. The main objective of the Incident Response is to handle the situation in a way that restricts damage and reduces recovery time and costs. An organization uses the incident response to respond and manage the cyber-attacks.
Source: researchgate.net
INCIDENT RESPONSE CHALLENGES:
The security teams detect these threats in real-time, manages incident response and performs forensic investigation at various points on the network.
SIEM solutions like ArcSight and Splunk enable analysts to gain a wide understanding of threats in their environment. This enables them to optimize the triage and remediation. Also speeds up the detection thus reducing the incident response time.
SIGMA is an open standard platform which defines the detections. It enables the re-use and sharing of analytics across various organizations.
SIGMA:
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner for SIEM system. This format is very flexible, easy to write and applicable to any type of log file.
Source: owasp.org
Why SIGMA:
Supported Formats:
Rule Format:
These rules specify detection signatures, which describes the searches on log data in generic form. Each rule specifies a set of conditions that are required to satisfy the detection condition.
Components:
The following section explains the component attributes.
It further contains 3 types of attributes that are discussed in the below section.
Vulnerability Analysis:
Nginx is vulnerable to “Improper Limitation of a Pathname to a Restricted Directory ('Path Traversalâ€). Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Nginx before 0.7.63 and 0.8.x before 0.8.17, allows directory traversal and does not properly validate the directory traversal characters (../), an attacker can use these characters to move or copy files to different destination. Nginx enables WebDAV component that has permission to use the COPY and MOVE methods. This attack requires WebDAV “upload†permission.
We have downloaded the required version from here.
Now let's get back to the detection through log analysis and below is the access log from the vulnerable version of 0.7.16.
And the error log from the fixed version of 0.7.17
From the above fixed and vulnerable logs, we can conclude the detection patterns as follows.
This is the key phase where the analysts can find difficulty to define the customized rules for any SIEM tools. Each SIEM products contain different signatures, so a generic signature needs to be written as a common rule for any SIEM tool. In such cases, we can use Sigma to define the rules for both fixed and vulnerable detection as a single pattern.
We have written the Sigma rules based on our above detection. Here, in our research, we will use the Sigma format to describe the detection in the YAML file.
Sigma Rule for CVE-2009-3898
After writing the Sigma rule, we can use either uncoder or Sigmac to convert from the sigma rule to any other SIEM tool format.
In this section, we have used the uncoder tool and converted the rule from Sigma to Splunk query as below.
Splunk Query for CVE-2009-3898
Upon executing the above query, we will get the following the results.
Challenges in Rule Conversion
How is SIGMA useful in Incident Response?
Currently, there is a lack of a standardized description format to define the log format because there are several heterogeneous environments. SIGMA renders the rules into the queries that can be transformed into the equivalent rule for Splunk, ArcSight and many others.
The rule format is very flexible, easy to write and applicable to any type of log file. The main objective of SIGMA is to provide a free structured form in which developers or analysts can describe their detection methods and make it sharable.
For over 15 years, leading companies in Telecom, Cybersecurity, Healthcare, Finance, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.
Loginsoft is a leading expert in Integrations with Threat Intelligence Platforms, integrated more than 200+ integrations with Security TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms and so on.
Interested to build an integration? Let’s start a conversation.
For over 16 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.
Loginsoft is a leading Cybersecurity services company providing Security Advisory Research to generate metadata for vulnerabilities in Open source components, Discovering ZeroDay Vulnerabilities, Developing Vulnerability Detection signatures using MITRE OVAL Language.
Expertise in Integrations with Threat Intelligence and Security Products, integrated more than 200+ integrations with leading TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet and so on.
Interested to learn more? Let’s start a conversation.
IN-HOUSE EXPERTISE
Get practical solutions to real-world challenges, straight from experts who conquered them.
View all our articles