Using Zeek/Bro To Discover Network TTPs of MITRE ATT&CK™ Part 1

Techniques, tactics, and procedures (TTPs) are useful for characterizing patterns of adversary behavior, such as sending a spearphishing attachment for initial access or using the Remote Desktop Protocol to move laterally in a target environment. To comprehensively track TTPs and develop corresponding defense strategies, security pros increasingly turn to MITRE ATT&CK™, a TTP repository based on real-world observations. While no single technology nor process can cover all TTPs, did you know that the Zeek Network Security Monitor (formerly “Bro”) can give you powerful visibility and detection against critical TTPs in the MITRE ATT&CK™ framework? Watch this webcast to hear from world-class security operators Richard Bejtlich and James Schweitzer as they dig into the MITRE framework and review concrete, step-by-step examples of how you can use Zeek to significantly improve your visibility and defenses against lateral movement (TA0008), data exfiltration (TA0010), and command and control (C2) (TA0011) tactics. Corelight makes powerful network security monitoring (NSM) solutions that transform network traffic into rich logs, extracted files, and security insights, helping security teams achieve more effective incident response, threat hunting, and forensics. Corelight Sensors run on Zeek (formerly called “Bro”), the open-source NSM tool used by thousands of organizations worldwide. Corelight’s family of network sensors dramatically simplify the deployment and management of Zeek and expand its performance and capabilities. Corelight is based in San Francisco, California and its global customers include Fortune 500 companies, large government agencies, and major research universities.