Go on the ATT&CK TMwith Corelight.

When today's security teams plan their defense against adversaries, they turn to the MITRE ATT&CK™ Framework. It's a key repository of tactics, techniques, and procedures (TTPs) that adversaries employ. While there's no silver bullet for all TTPs, Corelight sees weak spots others can't. Corelight delivers expansive network visibility by bringing Zeek logs to your SIEM. It allows you to build your own packages, or use community contributions like BZAR, for even more insight. See what Corelight can do below:

toogle arrow icon

Techniques revealed

Exfiltration toggle arrow icon
information Exfiltration

Automated Exfiltration

Data, such as sensitive documents, may be exfiltrated through the use of automated processing or scripting after being gathered during collection.

How Corelight helps

Attackers may use automated tools to exfiltrate sensitive data from a compromised host to an external server. For example, a custom tool uploading compressed or encrypted data to a website, FTP server, or email account. Zeek can monitor HTTP, FTP, and email traffic, allowing defenders to identify high volumes of traffic to unknown hosts or connections that occur on a regular schedule. Any point in the network where Corelight sees this traffic will be monitored and logged in the protocol-specific log. Depending on the transfer method, Zeek will track the names of the files and the method of exfiltration.

Scripts and resources:

Producer-consumer ratio script

This package helps defenders identify the typical direction and volume of data transfer between two hosts and to identify when it changes.

Zeek scripting language

Corelight Sensors run the Zeek NSM, which includes an event-driven scripting language that provides the primary means for an organization to extend and customize Corelight Sensors. The scripts alert Corelight Sensors about pre-defined events then capture information about that connection and trigger a function. For example, the ssl.log file is generated by a script that walks the entire certificate chain and issues notifications if any of the steps along the certificate chain are invalid.

Zeek Logs to use:

conn.log

conn.log

files.log

files.log

ftp.log

ftp.log

http.log

http.log

Questions?

BZAR: Bro/Zeek ATT&CK-based analytics and reporting scripts.

toggle arrow icon
techniques icon Techniques Covered

Developed by MITRE for organizations that have deployed the Zeek / Bro Network Security Monitor, these scripts utilize selected protocol analyzers (SMB and DCE-RPC) and the File Analysis Framework to uncover a range of Execution, Persistence, Lateral Movement, Defensive Evasion, Credential Access—and in particular Discovery—techniques. Learn more at GitHub.

icon script bzar

Watch “Using Zeek / Bro to Discover Network TTPs of MITRE ATT&CK.”

toggle arrow icon

Tune into this prerecorded (runtime 1 hour) webcast to hear from world-class security operators Richard Bejtlich and James Schweitzer as they dig into the MITRE framework and review concrete, step-by-step eamples of how you can use Zeek to significantly improve your visibility into and defenses against Lateral Movement (TA0008), Data Exfiltration (TA0010), and Command and Control (C2) (TA0011) tactics. Watch.