This presentation describes how a common open-source tool Zeek (Bro) that has been used, until today, primarily for threat detection can be extended to provide threat response including mitigation of attacks including those aspects that can be tied to the MITRE ATT&CK framework.
Today Zeek/Bro has a large open-source and active community that contributes using Zeek/Bro scripts that include detecting attacks such as Heartbleed and many other behavioral (TTP) based detections. This presentation will have the following structure:
- Introduction to Zeek/Bro event-based detection techniques including behavioral detection aspects
- Show those detection techniques can be applied to MITRE ATT&CK framework to provide the audience with a common taxonomy on what Zeek/Bro does
- Introduction how Zeek/Bro event-based programming model can be extended for threat mitigation and response and what the benefits of those extensions would provide orgs
- Show specific Zeek/Bro examples that highlight the power of extending the Zeek/Bro paradigm - including simple actions such as being able to respond to Heartbleed after it is detected to then respond with a mitigation action to stop the behavior progressing through the kill-chain
- Highlight how this framework can be further extended for automation across a network of sensors and mitigation driven by orchestration tools - show how Zeek/Bro fits into orchestration tools including possible playbooks that are written for security operations that tie detection with automated mitigation
- Summarize the approach to extending Zeek/Bro and the value to security organizations
To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.
This presentation introduces work underway by a group of interested industry companies to define a standard way to implement a playbook model for cybersecurity operations.
We’ll cover aspects of CACAO including:
- How playbooks are created and document COAs in a structured machine-readable format.
- How organizations perform attestation including verification and authentication on COAs and their playbooks.
- How sharing and distribution of COAs across organizational boundaries and technology stacks may include protocols, apis, interfaces and other related technology to support sharing across different vendors, organizations.
- How organizations can verify COA and playbook correctness prior to deployment.
- How organizations would monitor COA activity after successful deployment.
Learning objectives:
- An introduction to the requirements and issues that CACAO addresses specifically on cybersecurity response collaboration and orchestration
- The relationship of CACAO to other standards work (STIX2, OpenC2...etc) and proprietary mechanisms interplay (Cisco IOS, JunOS...etc)
- Practical examples on how CACAO would work and help organizations define standards-based cybersecurity response playbooks
- How either consuming organizations or vendors could engage to further define/improve the CACAO work