Think about it — every time we open a blog post with the latest malware analysis, combing through it looking for the IoCs our threat teams so desperately need, – doesn’t it feel a bit lethargic?
Fingers crossed, our favorite security vendor has already done the same, and the threat intelligence feeds have been updated with the hashes, file names, and known malicious IP addresses.
But doesn’t it seem at least a little bit awkward that we can’t survive without the highly technical and highly opportunistic work some of the response teams get a chance (a privilege?) to perform on the latest malware samples? Only so many security researchers get to break down a bug that just 12 hours ago shut down half of the electric power grid in Eastern Europe, yet all of us need the results of that analysis.
Are you “lucky” enough to remember how well threat detection worked before CTI? Back then, seeing network traffic to a well-known botnet CC IP address was the first time we knew for a fact a compromise took place. Needless to say, it was less than accurate.
The stock SIEM content was aspirational at best. I still remember shamefully renaming ArcSight Rules in the late 2000s from something like “Compromised Host” to be more in line with “Potentially Suspicious Activity”. The industry has come a long way since the concepts of “alert” and “incident” meant the same thing. Today, we are happy to settle for “signal” followed by automated triage or even clustering.
The bottom line is — the behavioral rules of yesterday have generally failed to deliver. Why? The main reason might be the fact that security software vendors are NOT, in fact, in the business of threat research. They are in the business of making and selling software (shocking, I know). To be fair, most of the SIEM vendors have grown proper domain expertise in-house, but in practice, most stock detection content has failed to meet real-world needs. Vendor rules were quickly scrapped by SecOps teams and replaced with the home-grown ones.
In an attempt to address this issue, most vendors have launched their own “community portals”, where the customers could share their “use cases”. From ArcSight Protect247 to SplunkBase, the idea of users coming together as a community and contributing their latest and greatest has seemed attractive, if not glaringly obvious.
Unfortunately, it can be confidently said that to date, none of these attempts have been successful. I know from my own experience that growing a community from scratch is excruciatingly difficult (does anyone remember @SIEMguru?). But perhaps most importantly, to paraphrase Jon Stewart, the “shelf life” of threat detection content is close to an egg sandwich. And without genuinely motivated care and feeding, it’s nearly impossible to keep the new rules flowing.
It also doesn’t help that those efforts are vendor-specific. So while QRadar users were building rules for Mimikatz, their colleagues using Elastic had to do the same, but with a different syntax. It took Florian Roth’s and Thomas Patzke’s Sigma standard to finally formalize detection rules across all SIEM and EDR/XDR platforms.
Admittedly, the Sigma standard is not perfect. Supporting rule translation to all detection query languages is simply unrealistic. But yet again, maybe reverse-matching detections to a common standard is not that important. If cybersecurity researchers can embrace Sigma for behavioral threat detection rules, make them available once, and then be able to automatically translate rules and queries accurately into proper syntax, then why not? The benefits of this approach are obvious — regardless of the tech, your in-house threat detection team has just gained a new superpower.
And as cool as Sigma is, it took SOC Prime’s publicly sourced, vendor-neutral Threat Detection Marketplace to get the stars to finally align on behavioral analytics. And today, any cybersecurity practitioner in the world can benefit from the results of work by the top researchers, as soon as it’s published. That’s the power of the global community, and that’s why behavioral threat detection is finally at the point of being an indispensable capability in any cyber defender’s arsenal.