Today’s attacks are growing more sophisticated and successful. What was once accomplished using lots of custom malware is increasingly handled by living off the land, leveraging the very same tools you use to manage your IT environment. Because of this, many organizations have shifted to using solutions that focus on endpoint behavior rather than signature-based detection to identify threats.
In recent years, more and more organizations have begun sharing technical indicators and detailed reports on high impact attacks. These reports contain the standard set of Snort, Suricate, and Yara rules to detect emerging threats, but also share lots of tools, tactics, and procedures (TTPs) that these attackers use. The challenge today is that there is no easy way of sharing these behavioral indicators.
Then came Sigma rules. The use of Sigma rules makes it efficient to write, share, and distribute technical indicators of threats. Most importantly, Sigma rules can be automatically converted to the correct rule and syntax for your SIEM, increasing the speed and accuracy of your SIEM-based detections.
In this webinar, we get hands-on with the topic by simulating an emulated APT attack that uses non-malware techniques to laterally move across a network. With access to all the logs from these devices in a central SIEM solution, our own Director Cyber Threat Research, Kev Breen, demonstrates:
Using public Sigma rules to query the SIEM to identify malicious behavior that may have been missed
Writing custom Sigma rules specific to an attack scenario that can be run periodically to threat hunt any future attacks of the same nature
In addition, Kev joins Microsoft MVP and cybersecurity expert Nick Cavalancia to discuss:
The state of threat intelligence sharing
A primer on Sigma rules – from creation to use
How Sigma rules fit into your cybersecurity strategy