Go on the ATT&CK TMwith Corelight.

When today's security teams plan their defense against adversaries, they turn to the MITRE ATT&CK™ Framework. It's a key repository of tactics, techniques, and procedures (TTPs) that adversaries employ. While there's no silver bullet for all TTPs, Corelight sees weak spots others can't. Corelight delivers expansive network visibility by bringing Zeek logs to your SIEM. It allows you to build your own packages, or use community contributions like BZAR, for even more insight. See what Corelight can do below:

arrow

Techniques revealed

Credential Access arrow
information Credential Access

Brute Force

Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.

How Corelight helps

Protocols such as SMB use NTLM for authentication and provide insight into whether authentication attempts have succeeded. A substantial number of invalid authentication attempts from a single host should be a cause for concern. Zeek can monitor NTLM authentication attempts to identify excessive login attempts, a large percentage of failures, or abnormal login patterns. Zeek will extract the username and result (success/failure) of each attempt. This information is stored in the ntlm.log file. Similarly, Zeek can monitor SSH connection attempts to report a suspiciously high number of authentication failures, using the ssh.log file.

Scripts and resources:

Brute Force detection script

Detect hosts that are doing password guessing attacks and/or password bruteforcing over SSH.

Zeek scripting language

Corelight Sensors run the Zeek NSM, which includes an event-driven scripting language that provides the primary means for an organization to extend and customize Corelight Sensors. The scripts alert Corelight Sensors about pre-defined events then capture information about that connection and trigger a function. For example, the ssl.log file is generated by a script that walks the entire certificate chain and issues notifications if any of the steps along the certificate chain are invalid.

Zeek Logs to use:

notice.log

notice.log

ntlm.log

ntlm.log

ssh.log

ssh.log

Questions?

BZAR: Bro/Zeek ATT&CK-based analytics and reporting scripts.

arrow
information Techniques Covered

Developed by MITRE for organizations that have deployed the Zeek / Bro Network Security Monitor, these scripts utilize selected protocol analyzers (SMB and DCE-RPC) and the File Analysis Framework to uncover a range of Execution, Persistence, Lateral Movement, Defensive Evasion, Credential Access—and in particular Discovery—techniques. Learn more at GitHub.

information

Watch “Using Zeek / Bro to Discover Network TTPs of MITRE ATT&CK.”

arrow

Tune into this prerecorded (runtime 1 hour) webcast to hear from world-class security operators Richard Bejtlich and James Schweitzer as they dig into the MITRE framework and review concrete, step-by-step eamples of how you can use Zeek to significantly improve your visibility into and defenses against Lateral Movement (TA0008), Data Exfiltration (TA0010), and Command and Control (C2) (TA0011) tactics. Watch.