Sunday, November 27, 2022
HomeCyber SecurityMenace searching with MITRE ATT&CK and Wazuh

Menace searching with MITRE ATT&CK and Wazuh

Menace searching is the method of searching for malicious exercise and its artifacts in a pc system or community. Menace searching is carried out intermittently in an setting no matter whether or not or not threats have been found by automated safety options. Some risk actors could keep dormant in a company’s infrastructure, extending their entry whereas ready for the fitting alternative to take advantage of found weaknesses.

Due to this fact you will need to carry out risk searching to establish malicious actors in an setting and cease them earlier than they obtain their final aim.

To successfully carry out risk searching, the risk hunter should have a scientific method to emulating attainable adversary conduct. This adversarial conduct determines what artifacts might be looked for that point out ongoing or previous malicious exercise.


Over time, the safety group has noticed that risk actors have generally used many ways, methods, and procedures (TTPs) to infiltrate and pivot throughout networks, elevate privileges, and exfiltrate confidential knowledge. This has led to the event of varied frameworks for mapping the actions and strategies of risk actors. One instance is the MITRE ATT&CK framework.

MITRE ATT&CK is an acronym that stands for MITRE Adversarial Ways, Strategies, and Frequent Data (ATT&CK). It’s a well-documented information base of real-world risk actor actions and behaviors. MITRE ATT&CK framework has 14 ways and lots of methods that establish or point out an assault in progress. MITRE makes use of IDs to reference the tactic or approach employed by an adversary.

The Wazuh unified XDR and SIEM platform

Wazuh is an open supply unified XDR and SIEM platform. The Wazuh answer is made up of a single common agent that’s deployed on monitored endpoints for risk detection and automatic response. It additionally has central parts (Wazuh server, indexer, and dashboard) that analyze and visualize the safety occasions knowledge collected by the Wazuh agent. It protects on-premises and cloud workloads.

Wazuh security event dashboard
Determine 1: Wazuh safety occasion dashboard

Menace searching with Wazuh

Menace hunters use numerous instruments, processes, and strategies to seek for malicious artifacts in an setting. These embody however should not restricted to utilizing instruments for safety monitoring, file integrity monitoring, and endpoint configuration evaluation.

Wazuh gives sturdy capabilities like file integrity monitoring, safety configuration evaluation, risk detection, automated response to threats, and integration with options that present risk intelligence feeds.

Wazuh MITRE ATT&CK module

Wazuh comes with the MITRE ATT&CK module out-of-the-box and risk detection guidelines mapped in opposition to their corresponding MITRE approach IDs. This module has 4 parts that are:

a. The intelligence element of the Wazuh MITRE ATT&CK module: Accommodates detailed details about risk teams, mitigation, software program, ways, and methods utilized in cyber assaults. This element helps risk hunters to establish and classify completely different TTPs that adversaries use.

Wazuh MITRE ATT&CK Intelligence
Determine 2: Wazuh MITRE ATT&CK Intelligence

b. The framework element of the Wazuh MITRE ATT&CK module: Helps risk hunters slim down threats or compromised endpoints. This element makes use of particular methods to see all of the occasions associated to that approach and the endpoints the place these occasions occurred.

Wazuh MITRE ATT&CK framework
Determine 3: Wazuh MITRE ATT&CK framework

c. The dashboard element of the MITRE ATT&CK module: Helps to summarize all occasions into charts to help risk hunters in having a fast overview of MITRE associated actions in an infrastructure.

Wazuh MITRE ATT&CK dashboard
Determine 4: Wazuh MITRE ATT&CK dashboard

d. The Wazuh MITRE ATT&CK occasions element: Shows occasions in real-time, with their respective MITRE IDs, to higher perceive every reported alert.

Wazuh MITRE ATT&CK events
Determine 5: Wazuh MITRE ATT&CK occasions

Wazuh guidelines and decoders

Wazuh has out-of-the-box guidelines and decoders to parse safety and runtime knowledge generated from completely different sources. Wazuh helps guidelines for various applied sciences (e.g., Docker, CISCO, Microsoft Alternate), which have been mapped to their applicable MITRE IDs. Customers can even create customized guidelines and decoders and map every rule with its applicable MITRE tactic or approach. This weblog put up reveals an instance of leveraging MITRE ATT&CK and Wazuh customized guidelines to detect an adversary.

Safety Configuration Evaluation (SCA) module

The Wazuh SCA module performs periodic scans in endpoints to detect system and utility misconfigurations. It can be used to scan for indicators of compromise, like malicious information and folders which have been created by malware. Analyzing software program inventories, companies, misconfigurations, and adjustments within the configuration on an endpoint can assist risk hunters detect assaults underway.

Wazuh SCA dashboard
Determine 6: Wazuh SCA dashboard

Integration with risk intelligence options

Because of its open supply nature, Wazuh offers a possibility to combine with risk intelligence APIs and different safety options. Wazuh integrates with open supply risk intelligence platforms like Virustotal, URLHaus, MISP, and AbuseIPDB to call a couple of. Relying on the mixing, related alerts seem within the Wazuh dashboard. Particular info, reminiscent of IP addresses, file hashes, and URLs, might be queried utilizing filters on the Wazuh dashboard.

File integrity monitoring

File integrity monitoring (FIM) is used to watch and audit delicate information and folders on endpoints. Wazuh offers an FIM module that screens and detects adjustments in specified directories or information on an endpoint’s filesystem. The FIM module can even detect when information launched to endpoints match hashes of identified malware.

Wazuh archives

Wazuh archives might be enabled to gather and retailer all safety occasions ingested from monitored endpoints. This characteristic assists risk hunters by offering them with knowledge that can be utilized to create detection guidelines and keep forward of risk actors. Wazuh archives are additionally useful in assembly regulatory compliance the place audit log historical past is required.


The MITRE ATT&CK framework helps to correctly classify and establish threats in keeping with found TTPs. Wazuh makes use of its devoted MITRE ATT&CK parts to show details about how safety knowledge from endpoints correspond to TTPs. The risk searching capabilities of Wazuh assist cybersecurity analysts to detect obvious cyber assaults in addition to underlying compromises to infrastructure.

Wazuh is a free and open supply platform that can be utilized by organizations with cloud and on-premises infrastructure. Wazuh has one of many fastest-growing open supply group on the planet, the place studying, discussions, and help is obtainable at zero price. Try this documentation to get began with Wazuh.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments