Incident Response is the action that you take to restore the ability to deliver organization business service. It is also known as IT incident, computer incident, or security incident. The main objective of the Incident Response is to handle the situation in a way that restricts damage and reduces recovery time and costs. An organization uses the incident response to respond and manage the cyber-attacks.
The security teams detect these threats in real-time, manages incident response and performs forensic investigation at various points on the network.
SIEM solutions like ArcSight and Splunk enable analysts to gain a wide understanding of threats in their environment. This enables them to optimize the triage and remediation. Also speeds up the detection thus reducing the incident response time.
SIGMA is an open standard platform which defines the detections. It enables the re-use and sharing of analytics across various organizations.
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner for SIEM system. This format is very flexible, easy to write and applicable to any type of log file.
- Sigma supports several SIEM tools like Elasticsearch, IBM QRadar and Splunk. It is intended to handle log files similar to Snort which is for network traffic and YARA for files.
- It enables analytics to re-use and share across the organizations.
- High level generic language for analytics
- The most reliable method such as solving logging signature problem
- Plain text YAML files
- Easy Schema
- Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana)
These rules specify detection signatures, which describes the searches on log data in generic form. Each rule specifies a set of conditions that are required to satisfy the detection condition.
The following section explains the component attributes.
- Title (Attribute: title): A title describes the detection rules.
- Rule Identification (Attributes: id, related): Globally defined sigma rules that are based on a unique identifier in the id attribute.
- Description (optional) (Attribute: description): This section, describes about the rule and malicious activity.
- References (optional) (Attribute: reference): Provides a source of information in order to derive the rule.
- Author (optional) (Attribute: author): The author of the rule.
- Log Source (Attribute: logsource): This section describes the log source definition from the sigma rule.
It further contains 3 types of attributes that are discussed in the below section.
- Product: Describes the product to match all the rules.
- Service: It should be restricted to events where the field names are set to the product logs.
- Category: This attribute allows you to select all log files that belongs to group of products.
- Detection (Attribute: detection): In this section, the search values in specific fields of log data are listed in selections.
- Condition (Attribute: condition): These selections are linked in a condition.
- Level (Attribute: level): It describes the severity of matches, may be used for filtering the rules.
Generating SIGMA rule for CVE-2009-3898
Nginx is vulnerable to “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal”). Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Nginx before 0.7.63 and 0.8.x before 0.8.17, allows directory traversal and does not properly validate the directory traversal characters (../), an attacker can use these characters to move or copy files to different destination. Nginx enables WebDAV component that has permission to use the COPY and MOVE methods. This attack requires WebDAV “upload” permission.
We have downloaded the required version from here.
Now let’s get back to the detection through log analysis and below is the access log from the vulnerable version of 0.7.16.
127.0.0.1 - - [20/May/2020:10:03:54 +0530] "COPY /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
127.0.0.1 - - [20/May/2020:11:59:16 +0530] "MOVE /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
And the error log from the fixed version of 0.7.17
2020/05/20 13:51:31 [error] 18762#0: *5 client sent invalid "Destination" header:
"http://localhost/../var/www/abc.html", client: 127.0.0.1, server: localhost, request: "COPY /index.html HTTP/1.1", host: "localhost"
2020/05/20 13:52:59 [error] 18762#0: *6 client sent invalid "Destination" header: "http://localhost/../var/www/abc.html", client: 127.0.0.1, server: localhost, request: "MOVE /index.html HTTP/1.1", host: "localhost"
From the above fixed and vulnerable logs, we can conclude the detection patterns as follows.
- In this vulnerable section, the request does contain “COPY” or “MOVE” methods with 204 response code.
- In this fixed section, the error log contains following message. ‘client sent invalid “Destination” header’
This is the key phase where the analysts can find difficulty to define the customized rules for any SIEM tools. Each SIEM products contain different signatures, so a generic signature needs to be written as a common rule for any SIEM tool. In such cases, we can use Sigma to define the rules for both fixed and vulnerable detection as a single pattern.
We have written the Sigma rules based on our above detection. Here, in our research, we will use the Sigma format to describe the detection in the YAML file.
Sigma Rule for CVE-2009-3898
title: Nginx 0.7.61 - WebDAV Directory Traversal status: experimental description: Detects a Path Traversal vulnerability in Nginx server because improper limitation of webdav component has to be enabled and the user has to have permission to use the COPY or MOVE methods. references: - https://www.exploit-db.com/exploits/9829 author: Loginsoft Research Unit date: 2020/05/27 tags: - attack.WebDAV Directory Traversal logsource: product: webserver vendor: Nginx Plus detection: selection: sourcetype : nginx:plus:access uri_path: "*index.html" status: 204 http_method: - 'COPY' - 'MOVE' fixdetection: sourcetype : nginx:plus:error fixdetection1: - client sent invalid "Destination" header condition: selection or fixdetection and fixdetection1 falsepositives: - Unknown level: medium
- uncoder is an open-source tool for SIEM search query language conversion.
- Sigmac is a python command-line tool that performs the conversion from sigma rule to the target SIEM format.
In this section, we have used the uncoder tool and converted the rule from Sigma to Splunk query as below.
Splunk Query for CVE-2009-3898
((sourcetype="nginx:plus:access" uri_path="*index.html" status="204" (http_method="COPY" OR http_method="MOVE")) OR (sourcetype="nginx:plus:error" "client sent invalid \"Destination\" header"))
Upon executing the above query, we will get the following the results.
Challenges in Rule Conversion
- Usage of different field names
Field name mapping from sigma rule to SIEM specific names.
- Rules refer to subsets of values which are environment-specific
Use place holders
How is SIGMA useful in Incident Response?
Currently, there is a lack of a standardized description format to define the log format because there are several heterogeneous environments. SIGMA renders the rules into the queries that can be transformed into the equivalent rule for Splunk, ArcSight and many others.
The rule format is very flexible, easy to write and applicable to any type of log file. The main objective of SIGMA is to provide a free structured form in which developers or analysts can describe their detection methods and make it sharable.