Enhancing detection with MITRE ATT&CK framework
Created by the MITRE Corporation, MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. It is a globally-accessible collection of observed real-world threat actor actions and behavior. The MITRE ATT&CK framework describes 14 tactics and several techniques that security analysts can use to identify attacks in progress. MITRE uses IDs to reference the tactic or technique employed by an adversary.
The Wazuh integration with MITRE ATT&CK framework is provided through an out-of-the-box module on the Wazuh dashboard. It allows users to map alerts generated by Wazuh to specific tactics and techniques. This gives security teams a better understanding of the nature of the threats they are facing and helps them develop effective mitigation strategies.
The Wazuh MITRE ATT&CK module is accessible under the THREAT DETECTION AND RESPONSE section of the main page of the Wazuh dashboard. It is shipped with various functionalities to help enhance your threat detection.
Intelligence
The Intelligence tab includes information about known threat actors or groups that have been observed using particular Tactics, Techniques, and Procedures (TTPs). It also provides any relevant indicators of compromise (IOCs) or mitigations that can be used to detect or prevent attacks leveraging the TTPs.
Additionally, it contains links to relevant external sources such as MITRE ATT&CK pages, blog posts, and white papers that provide detailed information about each TTP.
Framework
The Framework tab of the Wazuh MITRE ATT&CK module provides a high-level overview of the tactics and techniques occurring in endpoints monitored by the Wazuh server. This tab enables users to filter and search for specific tactics and techniques, and quickly view which endpoints these events occurred on. You can use this functionality to identify vulnerable areas in your environment.
Dashboard
This tab provides an overview of the current state of your infrastructure with respect to known adversarial Tactics, Techniques, and Procedures (TTPs) in the MITRE ATT&CK framework. The dashboard displays key indicators such as the total number of events, alerts, and a summary of the top 10 TTPs detected within your environment. These indicators can be used to assess the effectiveness of existing security controls and identify areas that may require further attention. Additionally, you can customize the dashboard to display specific metrics that are most relevant to your organization's security posture.
Events
This tab provides detailed information about each event that has been detected within your environment. It includes their correlation to specific TTPs as defined by the MITRE ATT&CK framework. The information shown in this tab is particularly useful for security teams who need to investigate suspicious activity. It allows them to drill down into the details of individual events and assess their potential impact on an environment.
You can filter the events based on various criteria such as severity, event type, and detection method, and also sort them by different fields to locate relevant information quickly. Additionally, the tab provides access to additional details, such as the full event log message and any related alerts that may have been generated in response to the event.
Customization
The Wazuh MITRE ATT&CK module also supports a range of customization options. For example, users can define custom mappings between Wazuh alerts and specific tactics and techniques, allowing them to tailor the module to their unique needs and requirements.
Customization example
Wazuh has out-of-the-box detection rules that are mapped against relevant MITRE IDs. However, to use Wazuh with MITRE ATT&CK for threat hunting, you can configure custom rules and assign corresponding MITRE ATT&CK IDs according to the number of techniques involved in the attack.
For this example, we require the following infrastructure:
Endpoint |
Example description |
|---|---|
Wazuh server |
You can download the Wazuh OVA or install it using the installation guide. |
Kali Linux |
This is the attacker endpoint. We use it to perform brute-force attacks against the monitored Ubuntu endpoint. |
Ubuntu 22.04 |
We perform SSH brute-force attacks against this victim endpoint.
It is required to have an SSH server installed and enabled on this endpoint.
|
Wazuh server
Append the following rules to the
/var/ossec/etc/rules/local_rules.xmlfile:<group name="local,syslog,sshd,"> <rule id="100002" level="5"> <if_sid>5710</if_sid> <description>sshd: authentication failed from $(srcip).</description> <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> </rule> <rule id="100003" level="10" frequency="8" timeframe="120" ignore="60"> <if_matched_sid>100002</if_matched_sid> <description>sshd: brute force trying to get access to the system.</description> <same_srcip /> <mitre> <id>T1110</id> </mitre> </rule> </group>
The rule
100003above creates an alert when eight (8) failed ssh bruteforce events occur on a monitored endpoint from the same IP address. It is mapped to the MITRE ATT&CK IDT1110indicating the brute force attack technique.When the rule triggers, the alert contains information about the MITRE ATT&CK ID
T1110.Restart the Wazuh manager service to apply the changes:
$ sudo systemctl restart wazuh-manager.service
Kali endpoint
Perform the following steps on the Kali Linux endpoint to launch the brute-force attack.
Create a text file,
pass_list.txt, with six (6) random passwords in the/tmp/directory using the following command:$ cat > /tmp/pass_list.txt << EOF X9#fGvK5mZ tR3@LdN6xY sP7#hJ8kQz cF2!nB6jWx dH5#tK9lMq zT6$fR9pXs bG8!mY7wQz nE4&tU2cPq gA1%pD3iSx vW2!rC5oLm EOF
Launch the brute-force attack against the Ubuntu endpoint’s SSH service using the following command while replacing
<UBUNTU_IP>with the IP address of the Ubuntu endpoint:$ sudo hydra -l attacker -P /tmp/pass_list.txt <UBUNTU_IP> ssh
Visualize the alerts
We use filters on the Security Module > MITRE ATT&CK> Events tab of the Wazuh dashboard to query for specific MITRE IDs, tactics, or techniques, as shown in the figure below.
Expand the rule ID 100003 alert to view the MITRE ID T1110 information.
Click on the JSON tab to view the details of the alert in JSON format:
{
"agent": {
"ip": "192.168.121.78",
"name": "Ubuntu-22",
"id": "003"
},
"data": {
"srcuser": "attacker",
"srcip": "192.168.121.127",
"srcport": "34890"
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 10,
"description": "sshd: brute force trying to get access to the system.",
"groups": [
"local",
"syslog",
"sshd"
],
"mitre": {
"technique": [
"Brute Force"
],
"id": [
"T1110"
],
"tactic": [
"Credential Access"
]
},
"id": "100003",
"frequency": 8
},
"full_log": "May 22 10:40:41 ubuntu2204 sshd[2908]: Invalid user attacker from 192.168.121.127 port 34890",
"id": "1684752043.76892",
"timestamp": "2023-05-22T10:40:43.395+0000",
"predecoder": {
"hostname": "ubuntu2204",
"program_name": "sshd",
"timestamp": "May 22 10:40:41"
},
"previous_output": "May 22 10:40:41 ubuntu2204 sshd[2909]: Invalid user attacker from 192.168.121.127 port 34892\nMay 22 10:40:41 ubuntu2204 sshd[2905]: Invalid user attacker from 192.168.121.127 port 34884\nMay 22 10:40:41 ubuntu2204 sshd[2904]: Invalid user attacker from 192.168.121.127 port 34880\nMay 22 10:40:41 ubuntu2204 sshd[2912]: Invalid user attacker from 192.168.121.127 port 34898\nMay 22 10:40:41 ubuntu2204 sshd[2906]: Invalid user attacker from 192.168.121.127 port 34886\nMay 22 10:40:41 ubuntu2204 sshd[2903]: Invalid user attacker from 192.168.121.127 port 34881\nMay 22 10:40:41 ubuntu2204 sshd[2907]: Invalid user attacker from 192.168.121.127 port 34888",
"manager": {
"name": "centos7"
},
"decoder": {
"parent": "sshd",
"name": "sshd"
},
"input": {
"type": "log"
},
"@timestamp": "2023-05-22T10:40:43.395Z",
"location": "/var/log/auth.log",
"_id": "_H4MQ4gBagiVP1CbE_oe"
}
The alerts display the MITRE ATT&CK ID and its associated tactics and techniques. This helps users quickly understand the nature of the attack and take appropriate actions.