On-Demand Webcast
Presented by Corelight & the MITRE Corporation
Many organizations have strong perimeter defenses, but poor internal traffic visibility. This allows adversaries to move unseen for weeks or months once inside a network as long as they avoid tripping endpoint alarms. Defensively, this is akin to a bank only placing CCTV cameras at the bank’s entrance and hoping that thieves who slip in set off the tripwires in the vault.
To spot lateral movement you first need to instrument the network to illuminate internal east-west traffic. The open-source Zeek network security monitor (formerly called ‘Bro’) excels at this task, transforming raw traffic into rich, protocol-comprehensive logs designed for security teams and tools to make fast sense of what’s happening. Next, you need to understand lateral movement techniques and develop corresponding discovery strategies. The MITRE ATT&CK™ framework offers a detailed inventory of such techniques, like Remote File Copy and Windows Admin Shares.
You can then develop corresponding detection strategies since Zeek also includes a Turing-complete programming language to write custom detection and monitoring tasks. In fact, MITRE recently released their own Zeek package to the open-source community called the Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR) project that can help uncover lateral movement techniques in SMB and DCE-RPC traffic. Tune into this webcast to learn from world-class security operators as they dig into Zeek and the MITRE ATT&CK framework and demonstrate BZAR and other step-by-step examples of how you can flip the tables on adversaries and reduce attacker dwell times through lateral movement discovery.
Watch this webcast to learn:
- About the spectrum of lateral movement techniques used by attackers
- How MITRE’s Zeek BZAR package can detect SMB and DCE-RPC-based lateral movement
- How to threat hunt for lateral movement using Zeek logs
- And more...
Mark Fernandez
Cybersecurity Engineer, MITRE Corporation
Mark Fernandez is a lead cybersecurity engineer at The MITRE Corporation. Mark has done a variety of open-source projects with the Bro/Zeek Network Security Monitor tool, including a protocol analyzer to parse the Internet Content Adaptation Protocol (ICAP), which he presented at BroCon 2016, and another protocol analyzer to parse the Gh0st malware command and control (C2) protocol, which was presented at BroCon 2017 (by a MITRE colleague). His newest project uses Bro/Zeek to detect adversary behaviors based on MITRE ATT&CK, specifically in the tactical categories of execution, persistence, defense evasion, credential access, discovery, and lateral movement.
Mathias Fuchs
Head of Investigation & Intelligence, InfoGuard AG
"Renaissance man" may be the most fitting description of SANS instructor Mathias Fuchs, who is the Head of Investigation & Intelligence at the Swiss firm InfoGuard AG as well as a volunteer paramedic and a pilot. Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming.
James Schweitzer
East and Federal SE Director, Corelight
James Schweitzer is the East and Federal SE Director at Corelight. Previously, he worked at The MITRE Corporation in the security center for over a decade supporting multiple US Government agencies. James is a graduate of Virginia Tech and The George Washington University.
Jean Schaffer
Federal Chief Technology Officer, Corelight
Jean Schaffer is an experienced professional in Cybersecurity, Information Assurance, and IT Operations. She is recently retired from the Intelligence community after 33+ years of public service, 15 at SES level. Jean brings technical expertise, understanding of the IC/DoD and a wealth of experience.