How Fusing Sigma & MITRE ATT&CK® Empowers Collective Cyber Defense to Gain a Competitive Advantage in the Global Cyber War
This article is based on the original interview conducted by AIN.UA and covered in the corresponding article.
In this second part of the interview with SOC Prime’s Founder, CEO, and Chairman, Andrii Bezverkhyi, we’ll provide insights into how Sigma, in combination with MITRE ATT&CK, shapes the future of cyber defense.To explore more about SOC Prime’s business continuity strategy, check out the initial interview with SOC Prime’s CISO of the dedicated article series.
What Is Sigma and MITRE ATT&CK — “Periodic Table” of Cyber Threats
Sigma, one common language for all cybersecurity experts worldwide, was created in 2016. Back then, Florian Roth and Thomas Patzke made the very first commit to the SigmaHQ GitHub repository. So how does this language work?
Traditionally, antiviruses work with signature databases (the list of indicators) for all existing threats. Signature databases for proprietary antiviruses and their successors, EDR solutions, are typically closed, so a regular user observes the result of the implementation. But with Sigma knowledge, users can create such signatures for any existing or emerging threat and add those signatures to an open database accessible by anyone.
Sigma allows expressing the behavioural signature for any security technology from local event registry for Microsoft Windows or Sysmon to AWS telemetry or Docker containers, which enables Detection Engineers to identify the exact issue and where it has occurred. Leveraging Sigma, the company Admin will be able to identify phishing via email URL, attempts to exploit a zero-day vulnerability discovered in the organisation’s web application, or potential multi-factor authentication (MFA) attacks affecting the corporate Slack workspace.
SOC Prime experts are among the trailblazers in using Sigma rules for effective threat detection and proactive cyber defence. Also, the company pioneered tagging Sigma rules with the MITRE ATT&CK framework acting as a globally-accessible knowledge base of adversary TTPs leveraged by all cyber defenders no matter their role in cybersecurity and the technology stack in use. The framework was created by MITRE, and just like Sigma, it is an open-source project maintained and developed by the global community of experts.
Sigma rules are widely recommended as an effective way to identify threats and proactively detect cyber attacks by such organisations as the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and Canadian Centre for Cyber Security (CCCS). The Cybersecurity and Infrastructure Security Agency (CISA) refers to ATT&CK as a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations.”
Before MITRE ATT&CK, the maturity level in cybersecurity was the same as in physics and chemistry before the invention of the periodic table. It is a categorised knowledge base of all cyber attacks emerging globally. Thus, Sigma acts as a language, and the ATT&CK framework as a methodology to combat cyber threats of any scale.
Andrii Bezverkhyi, Founder, CEO, and Chairman at SOC Prime
So how does it work in practice? In the case of the infamous NotPetya attack, Sigma rules for threat detection were crafted by one of the Sigma inventors, Florian Roth, and the cybersecurity expert, Tom Ueltschi. At the same time, the SOC Prime Team was leveraging these Sigma rules to help the victims of the NotPetya attack on the spot by fusing Sigma with ATT&CK and Lockheed Martin Cyber Kill Chain (LMCKC) technologies. It was the world’s first-ever use of Sigma algorithms in combination with ATT&CK to identify and attribute the real threat.
During the Sandworm attack on the Ukrainian power facilities in April 2022, SOC Prime Team identified 9 out of 13 methods leveraged by threat actors using the same technologies. Notably, Sigma rules for this attack were developed two years earlier, in 2020.
SOC Prime is one of the renowned experts in leveraging Sigma & MITRE ATT&CK to detect threats easier, faster, and more efficiently than ever before. In May 2022, SOC Prime’s CEO presented at the Ninth EU MITRE ATT&CK Community Workshop in Brussels. During his presentation, Andrii Bezverkhyi talked about the use of Sigma and ATT&CK to withstand the russian aggression on the cyber frontline, applying the framework as one of the key pillars of collective cyber defence and its essential role in combating global cyber threats. And from now on, these technologies are serving the Ukrainian nation.
How the Combination of Sigma and MITRE ATT&CK Help Ukraine Fight the Enemy
Since the outbreak of the full-scale war, Andrii Bezverkhyi turned to the SSSCIP with an offer to apply Sigma in conjunction with ATT&CK as a technology already tested on the real battlefield.
We have the world’s largest repository of signatures to detect adversary attacks, and we are ready to provide these signatures to organisations in Ukraine. Additionally, we help with instalment and settings, educate employees, and 99% of this we do for free. That’s how we started to work with SSSCIP and CERT-UA teams.
Andrii Bezverkhyi, Founder, CEO, and Chairman at SOC Prime
SOC Prime provides The State Cyber Protection Centre and CERT-UA teams free access to its cyber defence technologies and on-demand professional training. If representatives of the critical infrastructure of Ukraine (power companies, transportation companies, postal or communication service providers, etc.) turn to SOC Prime at the recommendation of SSSCIP, the Team supplies them with basic technologies to defend themselves against the enemy.
SSSCIP doesn’t match the typical image of the bureaucratic governmental institution. Workflow and communications are purely democratic: the Service advises, doesn’t push, and its team leads, not forces. And that is probably our major difference from russians. Except for leveraging innovative technology, we act as consultants. That is important since, unfortunately, there is a major lack of cybersecurity professionals at the local administrations or clinics.
Andrii Bezverkhyi, Founder, CEO, and Chairman at SOC Prime
Moreover, SSSCIP acts as a regulator in the area of data protection and communications defined by the law. Also, the Service assists Ukrainian businesses considering that all the assets throughout the country should be under protection. It is a major prerequisite for the cyber resilience of the state.
Cutting-edge technologies applied by the enemy in cyberspace are only fictional. The aggressor is using what the world has been leveraging for years. If all public and private organizations used Sigma and ATT&CK, automatically blocked the most common lateral movement methods, and shared the details on the adversary’s infrastructure — any cyber attack would be easily detected in seconds. However, it’s only a vision of the ideal future possible in three or five years.
To fulfill this vision of the future, the cybersecurity community should train and support the next generation of cyber practitioners skilled in new technologies. Among the ways to reach this ambitious goal is SOC Prime’s Threat Bounty Program.
The initial step in combating a cyber threat is its identification. Without it, any cyber defense operations can’t be efficient. For more than 30 years, the industry has been offering monetary rewards (bounty) to specialists who report the discovered security vulnerabilities in networks, websites, and services. Now it is high time for the programs to reward those who can identify and describe the attack’s logic. It is merely the other side of the coin. To effectively defend against cyber threats, the number of people describing the defense should be not less than those describing the offence.
The Threat Bounty community now connects over 620 members, and this number is constantly growing. Since the launch of the Program, the total amount of the paid rewards has reached $377,000 already. In certain cases, the monthly bounties to one member have amounted to $2,700 — which can be compared with a full-time job salary. Before SOC Prime raised the Series A funding, the bounty was paid from the company’s income, but soon the investor supported the initiative. Also, SOC Prime discusses with Google and Microsoft the opportunities for their joining as sponsors.
To empower collective cyber defence, the industry requires more experts skilled in the innovative cybersecurity technologies and capable of identifying and classifying any threat in seconds. And the demand for such experts in Ukraine is high as the country is on the frontline of war defending in all domains — from land to cyberspace.
Even if Mordor self-destructed tomorrow, the cyber war would still go on. Therefore, Ukraine should be capable of defending itself. And that’s the reason why we need to train people who will be involved in cyber defence to ensure a safer future.
Andrii Bezverkhyi, Founder, CEO, and Chairman at SOC Prime
The post Driving Business Growth in Turbulent Times from the Perspective of SOC Prime’s CEO: Part II appeared first on SOC Prime.