The Sigma Project Through The Lens of MITRE Shield
The Sigma Project is a means to provide generic methods to detect adversaries and more importantly facilitate the easy deployment of these rules across multiple platforms. The project was created and is maintained, by Florian Roth and Thomas Patzke. The true power behind Sigma is that it has several backends that turn simple straightforward detection logic into the various schemas and query languages employed. This means that two colleagues can work at very different organizations, and with very different software, but still be able to contribute data and intelligence to help improve detections.
MITRE Shield has recently been released as a knowledge base of active defense tactics and techniques. Active defense demands that we look past responding to events and see the need for strategic chains of action that lead to a reduction in risk. The matrix currently is in an early formulation but it already shows great promise with its emphasis on deception, hunting, and detection methods that are specific actions defenders can take. However, one tactic, in particular, stood out to me in the release of, “Getting Started with Mitre Shield”.
“In this case our defender likes the opportunity space (DOS018) “Users trained and encouraged to report phishing can detect attacks that other defenses do not,” and the use case (DUC0018) “A program to train and exercise the anti-phishing skills of users can create ‘Human Sensors’ that help detect phishing attacks.”
What stood out to me was the use of a human action to combat adversaries. Not a fancy analytics system, not AI-driven platforms but the simple act of training users. Now there is nothing new about recognizing the need to train users, but what impressed me was it actually being pointed out as a use case of active defense. Katie Nickels recently gave a keynote talk at the SANS Security Awareness Forum entitled, “The Human Side of Threats: Why it Matters that Adversaries are Human Too”. The take away for me from that talk was that there is an easy tendency to think of infosec as tracking malware families and improving our ability to stop them. All the while we forget that our experiences create biases that erase the random human actions of adversary behavior from our decision making. I was impressed that user training was included in Shield because it showed the team was able to include a key human factor in defense.
The Sigma Project is a very human factor in defense as well. Yes, it technically is another set of detection rules, but in reality, it is so much more. An organization utilizing Sigma rules has accepted a number of human truths about security. The first is that opensource sharing of threat intel and detection improvements is the only way we are going to win. The second is that even though we all have our preferred platforms we cannot let them be barriers to communication. Admittedly I am addicted to the Elastic Kool-Aid, but because of Sigma, I can have a very useful conversation with a colleague that loves Splunk. At the end of the day, we both walk away with a better defense. The third realization is that the final maturity level of a security posture is one where the human factor is completely integrated into the decisions made by defenders. This is done by participating in projects like Sigma, being part of Threat Intel Sharing communities and encouraging Security Clusters like Cyber Ireland. Cyber Ireland has to be one of the best examples showing that human actions are what builds a strong defense. All those companies and organizations realized that alone their machines could only do so much. So they crossed over red-tape and biases to start a collaboration.
The Sigma project stands for a level of active defense that fully brings out that final understanding of the human level. It will be exciting to watch how MITRE Shield develops and hopefully many more of its techniques will incorporate human actions. Hopefully, this new momentum will bring even more contributors to Sigma in the form of new rules and refined backends. In reality, there is nothing more active than realizing that looking beyond your own front porch is the first step to a successful defense.
