WatchEagle Detection & Response and Mitre Attack Framework

Date: 01-06-2022

In various discussions with existing customers and relations, it emerged that there are many challenges involved in collecting data from various sources in order to perform in-depth analysis to detect threats. How do you find the needle in the haystack? What is an effective way to look for patterns that indicate something unusual.

In our in-depth cybersecurity assessments we already apply the Mitre Attack Framework to interpret the attack path of an attacker and, based on the attack path, analyze the resilience of our customer against such an attack pattern. The Mitre Attack Framework contains the possibilities to protect against a certain attack pattern and how such a pattern can be detected. The latter has proven to be very useful when performing in-depth threat analysis in large amounts of data (Threat Hunting).

The agent framework on which the Mitre Attack Framework is based is ideally suited to analyze the diversity of patterns. In the framework the agents are namely task oriented and by splitting a pattern into several tasks, this way the cooperation between the agents can be configured and they can do their job to recognize the patterns. With WatchEagle, we are able to do this almost in real time based on the data that WatchEagle is processing. But WatchEagle can also do this if it is necessary to analyze historical data to see if the pattern has occurred before.

In short: by adopting the Mitre Attack Framework we are increasingly able to find the familiar needle in the haystack with WatchEagle. We have now implemented and automated the following patterns in WatchEagle:

  • DNS Tunneling
  • Lateral movement
  • Persistence

More patterns will be added in the coming months. We will also look at how to offer immediate action perspectives where possible, after identifying such a pattern.

WatchEagle Detection & Response and Mitre Attack Framework