Cyber defense safeguards information systems, networks, and data from cyber threats through proactive security measures. It involves deploying strategies and technologies to protect against evolving threats that may cause harm to business continuity and reputation. These strategies include risk assessment and management, threat detection and incident response planning, and disaster recovery.
Threat Intelligence (TI) plays a crucial role in cyber defense by providing valuable insights from analyzing indicators of compromise (IoCs) such as domain names, IP addresses, and file hash values related to potential and active security threats. These IoCs enable organizations to identify threat actors’ tactics, techniques, and procedures, enhancing their ability to defend against potential attack vectors.
Threat intelligence helps security teams turn raw data into actionable insights, providing a deeper understanding of cyberattacks and enabling them to stay ahead of new threats. Some benefits of utilizing threat intelligence in an organization include:
- More effective security: Threat Intelligence helps organizations prioritize security by understanding the most prevalent threats and their impact on their IT environments. This allows for effective resource allocation of personnel, technology, and budget.
- Improved security posture: By understanding the evolving threat landscape, organizations can identify and address vulnerabilities in their systems before attackers can exploit them. This approach ensures continuous monitoring of current threats while anticipating and preparing for future threats.
- Enhanced incident response: Threat intelligence provides valuable context about potential threats, allowing security teams to respond faster and more effectively. This helps organizations minimize downtime and possible damage to their digital assets.
- Cost efficiency: Organizations can save money by preventing cyberattacks and data breaches through threat intelligence. A data breach can result in significant costs, such as repairing system damage, reduced productivity, and fines due to regulatory violations.
Wazuh is a free, open source security solution that offers unified SIEM and XDR protection across several platforms. It provides capabilities like threat detection and response, file integrity monitoring, vulnerability detection, security configuration assessment, and others. These capabilities help security teams swiftly detect and respond to threats in their information systems.
Wazuh provides out-of-the-box support for threat intelligence sources like VirusTotal, YARA, Maltiverse, AbuseIPDB, and CDB lists to identify known malicious IP addresses, domains, URLs, and file hashes. By mapping security events to the MITRE ATT&CK framework, Wazuh helps security teams understand how threats align with common attack methods and prioritize and respond to them effectively. Additionally, users can perform custom integrations with other platforms, allowing for a more tailored approach to their threat intelligence program.
The section below shows examples of Wazuh integrations with third-party threat intelligence solutions.
MITRE ATT&CK integration
The MITRE ATT&CK framework, an out-of-the-box integration with Wazuh, is a constantly updated database that categorizes cybercriminals’ tactics, techniques, and procedures (TTPs) throughout an attack lifecycle. Wazuh maps tactics and techniques with rules to prioritize and detect cyber threats. Users can create custom rules and map them to the appropriate MITRE ATT&CK tactics and techniques. When events involving these TTPs occur on monitored endpoints, alerts are triggered on the Wazuh dashboard, enabling security teams to respond swiftly and efficiently.
WazuhFigure 1: MITRE ATT&CK tactics and techniques on the Wazuh dashboard
The out-of-the-box rule below detects when there is an attempt to log in to a server using SSH with a non-existent user.
|
<rule id=”5710″ level=”5″> <if_sid>5700</if_sid> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user</description> <mitre> <id>T1110.001</id> <id>T1021.004</id> </mitre> <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.3 12.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_d ss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, </group> </rule> |
Where:
- 001 refers to the MITRE ATT&CK tactics of brute forcing or password guessing.
- 004 refers to the MITRE ATT&CK tactics of lateral movement using remote services like SSH
WazuhFigure 2: Alerts on the Wazuh dashboard showing MITRE ATT&CK techniques and tactics
YARA integration
YARA is an open source tool for pattern matching and identifying malware signatures. Wazuh integrates with YARA to enhance threat detection by identifying patterns and signatures associated with malicious files. YARA uses the Wazuh FIM module to scan monitored endpoints for malicious files.
The effectiveness of the YARA integration is demonstrated in how Wazuh responds to Kuiper ransomware on an infected Windows endpoint.
WazuhFigure 3: Kuiper ransomware detection using Wazuh and YARA integration.
VirusTotal integration
VirusTotal is a security platform for aggregating malware signatures and other threat intelligence artifacts. Wazuh integrates with the VirusTotal API to identify known indicators of compromise, enhancing the speed and accuracy of threat detection.
For example, the Wazuh proof of concept guide shows how to detect and remove malware using VirusTotal integration.
The below block in the Wazuh configuration file /var/ossec/etc/ossec.conf detects changes to files and queries their hashes against the VirusTotal API.
|
<ossec_config> <integration> <name>virustotal</name> <api_key><API_KEY></api_key><!– Replace with your VirusTotal API key –> <rule_id>554,550</rule_id> <alert_format>json</alert_format> </integration> </ossec_config> |
Also, the Wazuh command monitoring configuration in the Wazuh server configuration file /var/ossec/etc/ossec.conf triggers the remove-threat.sh executable to remove the malicious file from the monitored endpoint when there is a positive VirusTotal match.
|
<ossec_config> <command> <name>remove-threat</name> <executable>remove-threat.sh</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>remove-threat</command> <location>local</location> <rules_id>87105</rules_id> </active-response> </ossec_config> |
The figure below shows the detection and response alerts on the Wazuh dashboard.
WazuhFigure 4: VirusTotal alert on the Wazuh dashboard
Wazuh is a free and open source SIEM and XDR platform with many out-of-the-box capabilities that provide security across workloads in cloud and on-premises environments. Integrating Wazuh with threat intelligence feeds and platforms such as YARA, VirusTotal, and Maltiverse enhances its threat detection and response capabilities.
Learn more about Wazuh by exploring our documentation and joining our professional community.
Copyright © 2024 IDG Communications, Inc.
