SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsMITRE ATT&CK techniques and their respective detections, while a significant step forward in democratizing threat intelligence, are predominantly focused on endpoint visibility through direct management or via agents. Some detection approaches leverage network sensors (e.g., Zeek) like BZAR (Fernandez, Wunder, Azoff, & Tylabs) in network-based detection of ATT&CK techniques. However, many of these earlier solutions focus on Microsoft Windows-specific protocols. They do not provide broad coverage of less-sophisticated endpoints, industrial systems, or infrastructure devices themselves (such as routers, switches, wireless devices). This paper will explore the feasibility of network-based detections using combinations of CLI utilities and Zeek IDS to augment or replace endpoint-focused detections and extend ATT&CK's utility to the rest of the network.