Bricata Network Security Offers Support for MITRE ATT&CK®

Bricata's latest release includes BZAR scripts, support for high-density data nodes and new features to simplify analyst workflows. (Courtesy of Bricata)

Bricata has released the latest version of its network security platform, featuring the addition of BZAR scripts (Bro/Zeek ATT&CK-based Analytics and Reporting) that enable security analysts to gain additional context around alerting and network metadata as they align to the MITRE ATT&CK framework.

“We’re committed to using the MITRE ATT&CK framework in our solution and will continue to build out this portion of our product experience,” explained Andre Ludwig, CPO for Bricata, Inc..

Andre Ludwig, CPO for Bricata
Andre Ludwig, CPO for Bricata

“We’re also constantly refining our platform to make our UI more intuitive and our workflows more goal-oriented.”

“The most recent updates dramatically simplify security operations center (SOC) analysts’ workflows that enables analysts to focus on what should matter most – investigating alerts, proactively hunting for threats and keeping the business network secure.”

The latest version also includes support for high-density data nodes that give users more flexibility to easily scale the amount of network metadata they can store, new alert grouping for streamlined management and response, support for virtualization on Amazon Web Services (AWS), and more.

Key product enhancements and new features include:

BZAR Scripts for the MITRE ATT&CK Framework

  • These open-source Zeek scripts use the Zeek Network Security Monitor to detect ATT&CK-based adversarial activity and “tag” alerts and segments of network metadata associated with that activity.

  • This helps analysts understand what malicious activity on their network is trying to accomplish (i.e., which alerts indicate an attempted privilege escalation, what alerts indicate lateral movement, etc.).

  • This also allows Bricata users to run queries based on the ATT&CK framework. (i.e. “show me all MITRE recon activities from the past two days”) for traffic analyzed by these scripts.

Support for High-Density Data Nodes –

  • Increases scalability and allows customers to store and query more network metadata.

  • In turn, this gives security analysts a larger window into the past (up to 90 or 120 days depending on hardware specifications) for threat hunting and/or forensic investigation.

Alert Grouping 

  • Bricata now supports grouping of alerts based on type.

  • This significantly reduces the volume of alerts an analyst needs to parse and speeds up alert investigations.

Courtesy of Bricata
Courtesy of Bricata

Customizable Dashboards 

  • Users can now create custom dashboards in the central management console (CMC) using a variety of widgets.

Added “x-forwarded-for” to Alert Filters 

  • This capability, which is unique to Bricata, allows customers that have complex environments with multiple proxies to quickly identify the source of traffic through those proxies.

  • Most tools normally only identify the last hop, but this new analytic helps customers with complex networks get added visibility into the origin point of important traffic.

Task-based PCAP Retrieval 

  • Users can now download packet captures based on specific alerts and filters and get notified when the system has retrieved this valuable network traffic for them.

  • This allows an analyst to continue with their prior workflow when retrieving a PCAP or SmartPCAP and download the PCAP when it is ready.

Integration with the Cuckoo Sandbox 

  • Bricata users now have the option to double-check suspicious files by easily sending them to the Cuckoo Sandbox, a leading open source malware analysis system, to be detonated and analyzed in a secure, isolated environment.

SNMP Support 

  • Import and configure SNMP support on all appliance models via the CMC GUI.

Support for Data Nodes on AWS 

  • Bricata’s data collection sensors now run on AWS, so customers can deploy the entire network security platform in a virtualized environment.

(Bricata combines advanced IDPS protection with the ability to launch threat hunting into a single fully-integrated solution. Courtesy of Bricata.)

Bricata’s network protection solution for enterprises provides full-spectrum threat detection, network visibility, threat hunting and facilitates post-detection response in a single platform that is easy to deploy in the cloud, on premises or in hybrid environments.

The solution gives organizations contextual insight into everything transpiring on their networks that enables faster threat response to defend and secure their business.

Bricata has been recognized by security technology research analysts for its innovation in intrusion detection and prevention systems (IDPS) and network traffic analysis (NTA).

The Bricata solution provides network visibility, full-spectrum threat detection, threat hunting and post-detection response capabilities in an intuitive, tightly integrated and self-managing system.

Its automated detection, productive GUIs, and expert system workflows make it easy-to-use for novices, while granular control of its engines, access to rich network metadata and PCAPs, and threat hunting capabilities give experts the power and control they demand.

Bricata has been proven to speed incident resolution by up to eight times by reliably detecting threats and providing the context necessary to get to the truth quickly and act.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.