Automating Open-Source Zeek (Bro) for Threat Mitigation and Response

This presentation describes how a common open-source tool Zeek (Bro) that has been used, until today, primarily for threat detection can be extended to provide threat response including mitigation of attacks including those aspects that can be tied to the MITRE ATT&CK framework. 

Today Zeek/Bro has a large open-source and active community that contributes using Zeek/Bro scripts that include detecting attacks such as Heartbleed and many other behavioral (TTP) based detections. This presentation will have the following structure:

1. Introduction to Zeek/Bro event-based detection techniques including behavioral detection aspects
2. Show those detection techniques can be applied to MITRE ATT&CK framework to provide the audience with a common taxonomy on what Zeek/Bro does
3. Introduction how Zeek/Bro event-based programming model can be extended for threat mitigation and response and what the benefits of those extensions would provide orgs
4. Show specific Zeek/Bro examples that highlight the power of extending the Zeek/Bro paradigm - including simple actions such as being able to respond to Heartbleed after it is detected to then respond with a mitigation action to stop the behavior progressing through the kill-chain
5. Highlight how this framework can be further extended for automation across a network of sensors and mitigation driven by orchestration tools - show how Zeek/Bro fits into orchestration tools including possible playbooks that are written for security operations that tie detection with automated mitigation
6. Summarize the approach to extending Zeek/Bro and the value to security organizations