Threat searching is the method of searching for malicious exercise and its artifacts in a pc system or community. Threat searching is carried out intermittently in an surroundings no matter whether or not or not threats have been found by automated safety options. Some menace actors might keep dormant in a corporation’s infrastructure, extending their entry whereas ready for the correct alternative to take advantage of found weaknesses.
Therefore you will need to carry out menace searching to establish malicious actors in an surroundings and cease them earlier than they obtain their final aim.
To successfully carry out menace searching, the menace hunter should have a scientific method to emulating attainable adversary habits. This adversarial habits determines what artifacts will be looked for that point out ongoing or previous malicious exercise.
MITRE ATT&CK
Over the years, the safety group has noticed that menace actors have generally used many ways, methods, and procedures (TTPs) to infiltrate and pivot throughout networks, elevate privileges, and exfiltrate confidential knowledge. This has led to the event of assorted frameworks for mapping the actions and strategies of menace actors. One instance is the MITRE ATT&CK framework.
MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). It is a well-documented data base of real-world menace actor actions and behaviors. MITRE ATT&CK framework has 14 ways and plenty of methods that establish or point out an assault in progress. MITRE makes use of IDs to reference the tactic or approach employed by an adversary.
The Wazuh unified XDR and SIEM platform
Wazuh is an open supply unified XDR and SIEM platform. The Wazuh resolution is made up of a single common agent that’s deployed on monitored endpoints for menace detection and automatic response. It additionally has central elements (Wazuh server, indexer, and dashboard) that analyze and visualize the safety occasions knowledge collected by the Wazuh agent. It protects on-premises and cloud workloads.
 |
| Figure 1: Wazuh safety occasion dashboard |
Threat searching with Wazuh
Threat hunters use varied instruments, processes, and strategies to seek for malicious artifacts in an surroundings. These embody however will not be restricted to utilizing instruments for safety monitoring, file integrity monitoring, and endpoint configuration evaluation.
Wazuh provides sturdy capabilities like file integrity monitoring, safety configuration evaluation, menace detection, automated response to threats, and integration with options that present menace intelligence feeds.
Wazuh MITRE ATT&CK module
Wazuh comes with the MITRE ATT&CK module out-of-the-box and menace detection guidelines mapped in opposition to their corresponding MITRE approach IDs. This module has 4 elements that are:
a. The intelligence element of the Wazuh MITRE ATT&CK module: Contains detailed details about menace teams, mitigation, software program, ways, and methods utilized in cyber assaults. This element helps menace hunters to establish and classify completely different TTPs that adversaries use.
 |
| Figure 2: Wazuh MITRE ATT&CK Intelligence |
b. The framework element of the Wazuh MITRE ATT&CK module: Helps menace hunters slender down threats or compromised endpoints. This element makes use of particular methods to see all of the occasions associated to that approach and the endpoints the place these occasions occurred.
 |
| Figure 3: Wazuh MITRE ATT&CK framework |
c. The dashboard element of the MITRE ATT&CK module: Helps to summarize all occasions into charts to help menace hunters in having a fast overview of MITRE associated actions in an infrastructure.
 |
| Figure 4: Wazuh MITRE ATT&CK dashboard |
d. The Wazuh MITRE ATT&CK occasions element: Displays occasions in real-time, with their respective MITRE IDs, to higher perceive every reported alert.
 |
| Figure 5: Wazuh MITRE ATT&CK occasions |
Wazuh guidelines and decoders
Wazuh has out-of-the-box guidelines and decoders to parse safety and runtime knowledge generated from completely different sources. Wazuh helps guidelines for various applied sciences (e.g., Docker, CISCO, Microsoft Exchange), which have been mapped to their acceptable MITRE IDs. Users can even create customized guidelines and decoders and map every rule with its acceptable MITRE tactic or approach. This weblog publish exhibits an instance of leveraging MITRE ATT&CK and Wazuh customized guidelines to detect an adversary.
Security Configuration Assessment (SCA) module
The Wazuh SCA module performs periodic scans in endpoints to detect system and software misconfigurations. It can be used to scan for indicators of compromise, like malicious recordsdata and folders which have been created by malware. Analyzing software program inventories, companies, misconfigurations, and modifications within the configuration on an endpoint may help menace hunters detect assaults underway.
 |
| Figure 6: Wazuh SCA dashboard |
Integration with menace intelligence options
Due to its open supply nature, Wazuh supplies a chance to combine with menace intelligence APIs and different safety options. Wazuh integrates with open supply menace intelligence platforms like Virustotal, URLHaus, MISP, and AbuseIPDB to call just a few. Depending on the combination, related alerts seem within the Wazuh dashboard. Specific info, corresponding to IP addresses, file hashes, and URLs, will be queried utilizing filters on the Wazuh dashboard.
File integrity monitoring
File integrity monitoring (FIM) is used to watch and audit delicate recordsdata and folders on endpoints. Wazuh supplies an FIM module that displays and detects modifications in specified directories or recordsdata on an endpoint’s filesystem. The FIM module can even detect when recordsdata launched to endpoints match hashes of recognized malware.
Wazuh archives
Wazuh archives will be enabled to gather and retailer all safety occasions ingested from monitored endpoints. This function assists menace hunters by offering them with knowledge that can be utilized to create detection guidelines and keep forward of menace actors. Wazuh archives are additionally useful in assembly regulatory compliance the place audit log historical past is required.
Conclusion
The MITRE ATT&CK framework helps to correctly classify and establish threats in accordance with found TTPs. Wazuh makes use of its devoted MITRE ATT&CK elements to show details about how safety knowledge from endpoints correspond to TTPs. The menace searching capabilities of Wazuh assist cybersecurity analysts to detect obvious cyber assaults in addition to underlying compromises to infrastructure.
Wazuh is a free and open supply platform that can be utilized by organizations with cloud and on-premises infrastructure. Wazuh has one of many fastest-growing open supply group on this planet, the place studying, discussions, and assist is obtainable at zero price. Check out this documentation to get began with Wazuh.