This document discusses integrating MITRE ATT&CK intelligence into Logstash plugins to provide security analysts with more context about threats. It covers writing plugins to extract relevant data from logs and map detections to MITRE tactics and techniques. When data is missing, the plugin uses other intelligence sources to infer classifications. The document demonstrates connecting Logstash pipelines to leverage parsing and enrichment, and shows tools for viewing and debugging pipeline configurations.

1. Integrating Attack Behavior
Intelligence into Logstash Plugins

2. • A day in a life of a Security Analyst
• Writing attack behavior security plugins
- Why MITRE ?
- Integrating MITRE intelligence into a plugin
- Other classification techniques
• Pipeline to Pipeline and debug tools
• Demo
• About empow & our contributions
2
Agenda

3. A Day in the Life of a Security Analyst
3
• Onboarding of new data sources is too slow
• The average security team sees hundreds of alerts per day
• Over 95% are false alerts
• Analysts need to write a correlation rule for each attack - takes 7-10 minutes each
• Security analysts often triage only less than 10% of incoming alerts*
* DarkReading

4. The Motivation Behind MITRE
• Provide analysts a common and popular security language they can use
• Tactics represent the “why” of an ATT&CK technique, the reason for performing an action
Examples: Credential Access, Discovery
• Techniques represent the “how” an adversary achieves a tactical objective by performing an
action
Example: Dump credentials to gain access to useful credentials
• Techniques may also represent the “what” - what type of information an adversary is after
Examples: Security Software Discovery, System Network Configuration Discovery
4

5. ATT&CK Object Model Relationships
5
How?
Why?
Who?
“The Tools”

6. Companies Using MITRE ATT&CKTM
6

7. 7
• Name: TROJ_BAYROB.SM1
• Hash: 9c18ce5aa22a4c95…
• Technique: Input capture
• Tactic: Credential access
• Detection: Found locally
Security Alert
What’s the value for the Analyst ?
What next ?
PAST
• Spear phishing
• Drive by
• …
Search for Cause & Identify Effect
Root cause ?
FUTURE
• Brute force
• Valid accounts
• …
Who next ?
• Technique: Input capture
• Tactic: Credential access
• Detection: Found locally
Performer Victim
Know What to Look For

8. <33>1 2019-12-11T17:13:07Z - ProofpointTAP - CLKPER [tapclk@21139 clickTime="2019-12-11T17:13:07Z"
threatTime="2019-12-16T11:35:18Z" class="phish" recipient="ljlamkin@ou.edu"
sender="magnus@thorstenn.com" senderIP="40.107.220.74" GUID="zSlyF5mZAoH9cAdocUE701V8cxXWzIyR"
url="https://thorstenn.box.com/s/2yjenq1szqjt5tkowa8bxegesiyqc263"
threatURL="https://threatinsight.proofpoint.com/ad9c1e33-d473-d6e4-190a-63e898072eea/threat/email/...
Integrating MITRE intel into The Plugin
8
• Different values within the log provide clues that help determine the technique and tactic;
• Event category and url specifies it is a Spearfishing Link, rather then Spearphishing Attachment
or Spearphishing via Service

9. Integrating MITRE intel into The Plugin
9
Apr 8 17:40:56 shany-ubuntu ossec: Alert Level: 5; Rule: 594 - Registry Integrity Checksum Changed; Location:
(Win7) 192.168.22.137->syscheck-registry; classification: ossec,syscheck,; Previous MD5:
'ebf429b416ecc9bf7f891eeff875f9a5'; Current MD5: '64733e46f6a89f934d048af17cac9cf5’; …..; Integrity checksum
changed for: ' HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
• A rule name is generally a good indicator to decipher the technique and tactic
• This specific event is NOT a simple “Modify Registry” technique (Defense Evasion tactic), because
the registry key itself guides us towards a more specific technique: Registry Run Keys / Startup
Folder (Persistence tactic).

10. 10
• Name: TROJ_BAYROB.SM1
• Hash: 9c18ce5aa22a4c95…
• Description: Malware/Trojan !
Malware Alert Log (Trend Micro)
• Name: TROJ_BAYROB.SM1
• Hash: 9c18ce5aa22a4c95…
• Technique: Input capture
• Tactic: Credential access
• Detection: Found locally
Advanced Enrichment
ECS
NLP Classification
What if there is NO Data For MITRE Classification ?
Microsoft threat description:
This threat can steal your user-names and passwords.
It can arrive on your PC as a malicious spam email attachment.
Checkpoint threat description:
Trojan which gathers passwords and system information or settings…
Some versions of this malware collect keystrokes…and spreads via
spam mail attachments or malicious websites.
Input
capture
• Name: TROJ_BAYROB.SM1
• Hash: 9c18ce5aa22a4c95…
• Technique: ???
• Tactic: ???
• Detection: Found locally
Threat Intelligence Feeds
[Name: TROJ_BAYROB.SM1 ; Hash: 9c18ce5aa22a4c95…]
Future effects
Past cause

11. Security Logs Logstash Plugins Open source Repository
• Parsing and analyzing logs may became quite Sisyphean task
• Each vendor has his own log format
• Each log contains different values and fields
• Extracting and normalizing these values may require a lot of effort and expertise
• empow’s plugin repository is an opensource project containing a set of Logstash plugins for
different products and vendors
• Aligned with ECS format
• Containing internal and optionally external threat intel. based enrichment
- Internal – using logic that is part of the parser
- External – using empow’s classification center (can be used for free with registration)
• Uses the benefits of Logstash pipeline-to-pipeline technology
11

12. Pipeline to pipeline
• Introduced in Logstash 6.7
• Enables to easily write, maintain, and manage a set of LS
parsers.
• Each parser has specific functionality that can be
reused
• Changing, updating, adding, or deleting some
functionality can be done easily
• empow’s pipeline-to-pipeline structure consists of
• Input – responsible to receives the logs from various
of inputs and dispatched them the actual per product
parser
• Per product parser – responsible to analyze the and
normalized logs
• Enrichment – optional parser that enrich logs (e.g.
with external NLP based threat intel. classification)
• Output – responsible to emit the normalized and
analyzed logs
12
Fortinet
Snort
Symantec
Carbon
Black
Single port
Virtual Input
empow
NLP
classifier
elastic
output

13. Pipeline Viewer - Preventing Pipeline-to Pipeline
Misconfigurations
• While using pipeline-to-pipeline technology simplifies the parser
development, it requires manual configuration
• This may lead to misconfiguration problems which may be difficult to find
• Broken pipeline connectivity
• Cycles
• Etc.
• empow’s opensource pipeline viewer is a simple tool that:
• Enables to view the current multi-pipeline structure
• Detects and views common configuration problems
13

14. Demo

15. About empow
HEADQUARTERS
Boston2014
FOUNDED R&D CENTER
Tel Aviv 9
PATENTS ISSUED
(6 pending)
• i-SIEM – AI based SIEM which requires LESS THAN ONE security analyst to manage
• Only SIEM in a commercial partnership with leading data search company
15
“Over the course of my 23 years in
cyber security I have recommended
very, very few products, but trust me,
you will be impressed with this team.”
Dannie Combs, CISO, Donnelley Financial
Solutions
“empow's Security Platform allowed us
to optimize our security coverage, while
ensuring privacy and extending visibility
of what is happening in our network.”
Michail Bletsas, Director of Network & Computing
Systems, MIT Media Lab
What our customers say:

16. Our Open Source Contributions
16
• LS logs plugins repo
• Kibana dashboard per device logs
• Pipeline viewer
• Plugin extension into empow’s threat classification center
(w/free subscription)