Using Zeek/Bro To Discover Network TTPs of MITRE ATT&CK™

Techniques, tactics, and procedures (TTPs) can help characterize patterns of adversary behavior, such as sending a spearphishing attachment for initial access or using the Remote Desktop Protocol to move laterally in a target environment.

Link to presentation

To track TTPs and develop corresponding defense strategies, security personnel increasingly turn to MITRE ATT&CK™, a TTP repository based on real-world observations. While no single technology nor process can cover all TTPs, did you know that the Zeek Network Security Monitor (formerly “Bro”) can give you powerful visibility and detection against critical network-based TTPs in the ATT&CK™ framework?

In fact, earlier this year MITRE released the Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR) scripts to the open-source community to help uncover network-based ATT&CK TTPs. Tune into this webcast to hear from world-class security operators as they dig into Corelight and the MITRE framework and demonstrate step-by-step examples of how you can use Corelight to significantly improve your visibility and defenses.

In this webcast you'll learn:
- An Overview of the MITRE ATT&CK™ framework
- How Corelight addresses ATT&CK TTPs related to data exfiltration and C2s

ttps,spearphishing,rdp,remote desktop protocol,mitre,mitre attack,mitre att&ck,zeek,nsm,network security monitor,bro ids,bro nsm,bro network security monitor,bzar,bro/zeek attack-based analytics and reporting,bro scripts,Richard Bejtlich,James Schweitzer,