$400 Amazon Gift Card with OnDemand Training through March 10 - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Using Zeek/Bro To Discover Network TTPs of MITRE ATT&CK​

  • Wednesday, June 12, 2019 at 3:30 PM EDT (2019-06-12 19:30:00 UTC)
  • Richard Bejtlich, James Schweitzer


  • Corelight

You can now attend the webcast using your mobile device!



Techniques, tactics, and procedures (TTPs) can help characterize patterns of adversary behavior, such as sending a spearphishing attachment for initial access or using the Remote Desktop Protocol to move laterally in a target environment.   To track TTPs and develop corresponding defense strategies, security personnel increasingly turn to MITRE ATT&CK​, a TTP repository based on real-world observations. While no single technology nor process can cover all TTPs, did you know that the Zeek Network Security Monitor (formerly Bro) can give you powerful visibility and detection against critical network-based TTPs in the ATT&CK framework? 

 In fact, earlier this year MITRE released the Bro/Zeek ATT&CK-based Analytics and Reporting (​BZAR​) scripts to the open-source community to help uncover network-based ATT&CK TTPs. Tune into this webcast to hear from world-class security operators as they dig into Corelight and the MITRE framework and demonstrate step-by-step examples of how you can use Corelight to significantly improve your visibility and defenses. 

 Register for this webcast to learn: 

● An Overview of the MITRE ATT&CK framework

● How Corelight addresses ATT&CK TTPs related to data exfiltration and C2s

● And more...

Speaker Bios

Richard Bejtlich

Richard Bejtlich is an author and Principal Security Strategist at Corelight. He was previously Chief Security Strategist at FireEye, and Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. At General Electric, as Director of Incident Response, he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He has authored, co-authored, and contributed to over a dozen books (listed at www.taosecurity.com). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity).

James Schweitzer

James Schweitzer is a Federal Solution Engineer at Corelight. He was previously at A10 Networks, and prior to that spent more than a decade at The MITRE Corporation. During his time there he served in various leadership roles, spanning Security Operations Center engineering to improving secure communications capabilities for partner nations. James is a graduate of Virginia Tech and The George Washington University.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.