A common question among SIEM content/detection creators is “What is the process that needs to be followed to create a detection?” There are different methods/methodologies/frameworks that are published by some of the great content creators. Here I will not be re-iterating on those but rather will document the process I follow to create rules. Here are the steps I take. Keep in mind that these steps need not be sequential.
· What kind of malware (just mentioning it as a broad category where it can be executable, script, WMI event, or anything else) OR kill Chain Stage OR MITRE Tactic are we dealing with?
o Or contrary question if we are dealing with threat hunting or detection? What type of malware we are trying to detect?
· Is this a novel technique? A variation of an existing technique? Just a simple rename?
· What behavior/s does malware execute? What are the TTPs we observed? Are there any TTPs that are not present in MITRE (or any other framework)? Are we seeing any overlapping behaviors from the previous detections we have? If so, how it differs from the other malware?
· What kind of logs we have to detect this malware? Are we already collecting those logs? If so, what percentage of the logs we collect is directly correlated to detect this malware ( this is important to know because of many reasons like I’m in fear of losing a detection, are we putting a load on our SIEM by collecting more than what we need ( Sysmon as a good example like every ID 3. Though it has its benefits like gaining access to the process making the network connection, it is still generating too much data. Filtering is necessary))
o If the logs are not present, what can we do? How can we collect those logs efficiently and effectively without hoarding data?
· What techniques can be used to detect this malware? Is it plain detection (like a signature or an event ID)? Is it behavioral? Is it an amalgam of two?
· What is the F+ rate if we were to write this detection? More importantly, what is the acceptable rate of F+?
· Did we detect the malware using our proposed detections? If not, what is the rate of true negative?
In the above steps can be used for creating detections only. But detection creation is not the end, rather it is the start or a waypoint in Alert, Triage, Detection, IR lifecycle. In the next blog, we will see how we can apply this to create a detection.
See you next time and happy detecting/hunting
