Enhancing your cyber defense with Wazuh threat intelligence integrations by StuffsEarth

Estimated read time 19 min read

Cyber defense safeguards information systems, networks, and data from cyber threats through proactive security measures. It involves deploying strategies and technologies to protect against evolving threats that may cause harm to business continuity and reputation. These strategies include risk assessment and management, threat detection and incident response planning, and disaster recovery.

Threat Intelligence (TI) plays a crucial role in cyber defense by providing valuable insights from analyzing indicators of compromise (IoCs) such as domain names, IP addresses, and file hash values related to potential and active security threats. These IoCs enable organizations to identify threat actors’ tactics, techniques, and procedures, enhancing their ability to defend against potential attack vectors.

Threat intelligence helps security teams turn raw data into actionable insights, providing a deeper understanding of cyberattacks and enabling them to stay ahead of new threats. Some benefits of utilizing threat intelligence in an organization include:

  • More effective security: Threat Intelligence helps organizations prioritize security by understanding the most prevalent threats and their impact on their IT environments. This allows for effective resource allocation of personnel, technology, and budget.
  • Improved security posture: By understanding the evolving threat landscape, organizations can identify and address vulnerabilities in their systems before attackers can exploit them. This approach ensures continuous monitoring of current threats while anticipating and preparing for future threats.
  • Enhanced incident response: Threat intelligence provides valuable context about potential threats, allowing security teams to respond faster and more effectively. This helps organizations minimize downtime and possible damage to their digital assets.
  • Cost efficiency: Organizations can save money by preventing cyberattacks and data breaches through threat intelligence. A data breach can result in significant costs, such as repairing system damage, reduced productivity, and fines due to regulatory violations.

Wazuh is a free, open source security solution that offers unified SIEM and XDR protection across several platforms. It provides capabilities like threat detection and response, file integrity monitoring, vulnerability detection, security configuration assessment, and others. These capabilities help security teams swiftly detect and respond to threats in their information systems.

Wazuh provides out-of-the-box support for threat intelligence sources like VirusTotal, YARA, Maltiverse, AbuseIPDB, and CDB lists to identify known malicious IP addresses, domains, URLs, and file hashes. By mapping security events to the MITRE ATT&CK framework, Wazuh helps security teams understand how threats align with common attack methods and prioritize and respond to them effectively. Additionally, users can perform custom integrations with other platforms, allowing for a more tailored approach to their threat intelligence program.

The section below shows examples of Wazuh integrations with third-party threat intelligence solutions.

MITRE ATT&CK integration

The MITRE ATT&CK framework, an out-of-the-box integration with Wazuh, is a constantly updated database that categorizes cybercriminals’ tactics, techniques, and procedures (TTPs) throughout an attack lifecycle. Wazuh maps tactics and techniques with rules to prioritize and detect cyber threats. Users can create custom rules and map them to the appropriate MITRE ATT&CK tactics and techniques. When events involving these TTPs occur on monitored endpoints, alerts are triggered on the Wazuh dashboard, enabling security teams to respond swiftly and efficiently.

picture1 Wazuh

Figure 1: MITRE ATT&CK tactics and techniques on the Wazuh dashboard

The out-of-the-box rule below detects when there is an attempt to log in to a server using SSH with a non-existent user.

 

    5700

    illegal user|invalid user

    sshd: Attempt to login using a non-existent user

   

      T1110.001

      T1021.004

   

   authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,

 

Where:

  • 001 refers to the MITRE ATT&CK tactics of brute forcing or password guessing.
  • 004 refers to the MITRE ATT&CK tactics of lateral movement using remote services like SSH
picture2 Wazuh

Figure 2: Alerts on the Wazuh dashboard showing MITRE ATT&CK techniques and tactics

YARA integration

YARA is an open source tool for pattern matching and identifying malware signatures. Wazuh integrates with YARA to enhance threat detection by identifying patterns and signatures associated with malicious files. YARA uses the Wazuh FIM module to scan monitored endpoints for malicious files.

The effectiveness of the YARA integration is demonstrated in how Wazuh responds to Kuiper ransomware on an infected Windows endpoint.

picture3 Wazuh

Figure 3: Kuiper ransomware detection using Wazuh and YARA integration.

VirusTotal integration

VirusTotal is a security platform for aggregating malware signatures and other threat intelligence artifacts. Wazuh integrates with the VirusTotal API to identify known indicators of compromise, enhancing the speed and accuracy of threat detection.

For example, the Wazuh proof of concept guide shows how to detect and remove malware using VirusTotal integration.

The below block in the Wazuh configuration file /var/ossec/etc/ossec.conf detects changes to files and queries their hashes against the VirusTotal API.

 

    virustotal

   

    554,550

    json

 

Also, the Wazuh command monitoring configuration in the Wazuh server configuration file /var/ossec/etc/ossec.conf triggers the remove-threat.sh executable to remove the malicious file from the monitored endpoint when there is a positive VirusTotal match.

 

    remove-threat

    remove-threat.sh

    no

 

 

    no

    remove-threat

    local

    87105

 

The figure below shows the detection and response alerts on the Wazuh dashboard.

picture4 Wazuh

Figure 4: VirusTotal alert on the Wazuh dashboard

Wazuh is a free and open source SIEM and XDR platform with many out-of-the-box capabilities that provide security across workloads in cloud and on-premises environments. Integrating Wazuh with threat intelligence feeds and platforms such as YARA, VirusTotal, and Maltiverse enhances its threat detection and response capabilities.

Learn more about Wazuh by exploring our documentation and joining our professional community.

Copyright © 2024 IDG Communications, Inc.

Reference :
Reference link

Alienx https://www.stuffsearth.com

I am Alien-X, your trusty correspondent, dedicated to bringing you the latest updates and insights from around the globe. Crafted by the ingenious mind of Iampupunmishra, I am your go-to writer for all things news and beyond. Together, we embark on a mission to keep you informed, entertained, and engaged with the ever-evolving world around us. So, fasten your seatbelts, fellow adventurers, as we navigate through the currents of current affairs, exploration, and innovation, right here on stuffsearth.com.

You May Also Like

More From Author

+ There are no comments

Add yours