Talk With an Expert

Methods to Employ Zeek in Detecting MITRE ATT&CK Techniques

Methods to Employ Zeek in Detecting MITRE ATT&CK Techniques (PDF, 4.20MB)Published: 15 Jul, 2020
Created by:
Michael McPhee

MITRE ATT&CK techniques and their respective detections, while a significant step forward in democratizing threat intelligence, are predominantly focused on endpoint visibility through direct management or via agents. Some detection approaches leverage network sensors (e.g., Zeek) like BZAR (Fernandez, Wunder, Azoff, & Tylabs) in network-based detection of ATT&CK techniques. However, many of these earlier solutions focus on Microsoft Windows-specific protocols. They do not provide broad coverage of less-sophisticated endpoints, industrial systems, or infrastructure devices themselves (such as routers, switches, wireless devices). This paper will explore the feasibility of network-based detections using combinations of CLI utilities and Zeek IDS to augment or replace endpoint-focused detections and extend ATT&CK's utility to the rest of the network.