Evaluating Open-Source HIDS with Persistence Tactic of MITRE Att&ck

Small companies with limited budgets need to understand if open-source tools can provide adequate security coverage. The MITRE ATT&CK framework provides an excellent source to evaluate endpoint security tool effectiveness. A MITRE research paper provides the following insight into the value of ATT&CK, The techniques in the ATT&CK model describe the actions adversaries take to achieve their tactical objectives (Strom, et al., 2019). This paper examines two open-source endpoint tools, OSSEC and WAZUH, against the MITRE ATT&CK framework. This analysis will determine each endpoint tool's ability to detect a select number of the MITRE ATT&CK framework persistence techniques. Out of the techniques reviewed, this paper will analyze the degree to which the ATT&CK technique can be accurately identified by the evaluated tools. MITRE also conducts evaluations but on proprietary tools. The results of the open-source endpoint tools analyzed here can be compared to the MITRE ATT&CK Evaluations conducted on the proprietary endpoint toolsets. The MITRE ATT&CK framework is a valuable methodology that allows a company to compare endpoint tools from a security risk and product evaluation perspective.