One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8647970 |
| Date de publication | 2025-02-10 13:21:52 (vue: 2025-02-11 05:07:42) |
| Titre | Emerging Threats Updates Improve Metadata, Including MITRE ATT&CK Tags |
| Texte | Key findings: The Emerging Threats team made significant updates to the Emerging Threats ruleset to provide more comprehensive information for customers and the community. Updates include populating since-created metadata tags within legacy rules, as well as adding MITRE ATT&CK tags in rule metadata. Emerging Threats metadata provides additional context to an alert where you initially only have a rule message to make decisions. Without metadata, information security personnel are left with only the rule message from which to act. Updating metadata is an investment that strengthens our research and defenses, providing more actionable information and intelligence. Overview To fully defend against the rapidly changing threat landscape – from malware to credential phishing to espionage – effective detection is not just about creating rules. It is about optimizing the rules for smarter performance. For organizations leveraging the Emerging Threats ruleset, metadata plays a vital role, delivering invaluable context to security operations analysts, threat researchers, and data scientists that enhances detection beyond mere alerts. This post takes a closer look at Emerging Threats metadata, addresses the rationale behind specific metadata tags and values, offers practical guidance on how to make the most of this information, and sheds light on the comprehensive approach to implementing recent large-scale metadata updates. How does Proofpoint utilize Emerging Threats rules? The Emerging Threats team and the world-class Threat Research organization at Proofpoint work to ensure that our customers and the information security community are protected against threat actors and their techniques within the threat landscape by analyzing malicious network traffic and crafting impactful detection rules for alerting. The Threat Research team including threat hunters, intelligence analysts, reverse engineers, and detection engineers all use the Emerging Threats ruleset in several ways. For example, the rules are baked into the internal Proofpoint sandbox and pipeline to help identify malware families observed in email traffic; analysts collaborate with the ET team to develop new rules based on newly identified activity; and the team uses the ET intelligence portal to surface detections and help identify indicators of compromise while conducting investigations. Emerging Threats has both ET Open rules that are free for the community, and the paid ET Pro ruleset that contains additional rules based on internal Proofpoint intelligence, threat hunting, and detection. ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using an organization\'s existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection/prevention systems (IDS/IPS). Updated daily and available in Suricata and Snort formats, ET Pro covers more than 40 different categories of malware command and control, credential phishing, DDoS, botnets, network anomalies, exploits, vulnerabilities, SCADA exploit kit activity, and much more. Updates to the Emerging Threats ruleset Emerging Threats has produced rules since 2010, with nearly half a million revisions made to the over 100,000 rules In the ruleset, which is updated daily. Since its initial use in 2010, the team has continuously updated and enhanced the ruleset structure and made several metadata advancements, including improving severity and confidence scores, and adding MITRE ATT&CK tags. Once a new metadata tag is introduced, we are presented with the issue that older rules need to be updated with values for the new metadata tag. Enriching metadata across the ruleset is a large-scale undertaking, and is designed to provide more actionable insight for organizations using the Emerging Threats ruleset. In the latest iteration of updates, the Emerging Threat team focused on enhancing three metadata tags: “signature_severity”, “confidence”, and MITRE ATT&CK coverage to improve the utility and reliability of t |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $home $http attack /^netsh 000 100 181 200 2010 2017 2018 2021 2022 2023 2024 209 972 :buffer|stack :client :de|mmand :dir|action|protocol :injection|execution :pro :web about above access account accuracy accurate accurately achieve achieves across act action=allow actionable actions active activities activity activity; actors adapt add added adding addition additional additionally address addresses adjusted advanced advancements advfirewall advfirewall|20|firewall|20|add|20|rule again against albeit alert alerting alerts align aligning all allow allowing allows alongside already also amount analysts analyze analyzing anomalies anomaly another any api appliances applicable application applications applied apply applying approach approximately apps|exploit|malware apps” are arnaldo around assign assigned assigning assigns assists associated att&ck att&ck attack attacks attempt attempts available avoid baked base based batch because been begin behavior behaviors behind being believe below benefits best between beyond blocking body; both botnets broader but can cannot capture carry case categories categorization categorize categorized category ceiling chain changes changing character chunks class classes classifications classifying classtype:misc client; closer cluster clustering code code; collaborate combinations combined comfortably command commencement committed common community complete comprehensive compromise compromised compromising concept conclusion condemnation conducting confidence conflating connections consider considered consistent contact contains content: context continue continues continuously contribute control control/escape corelight corruption could coverage covers crafting created creating credential critical critical: cross curated curating customers customers: cve cyberattacks daily data database ddos decision decisions defend defense defenses defenses; defense” defensive defined defines deliver delivering demonstrate demonstrated deployed designed detect detected detecting detection detection/prevention detections determines develop dfir different difficult dir=in directly director discourse discussed distinction dns does doubts downgrades downloaded drastically due during effective efforts elevated else email emerging enables enabling encompasses end engineers enhanced enhances enhancing enriching ensure ensuring entire environment espionage essential estimate etc evaluates evaluating evaluation evasion evasion” events every evidence evolve example example: examples execution existing experimental explicitly exploit exploits expression expressions extract factors false families fast favor feedback filename filter filtered filtering filters findings: firewall firewalls firmly first fit flow:established focus focused follow following follows: forgery formats forthcoming forward foundation framework frameworks free from fully funnel further generate generating generation generic genuinely given giving goals going granular greatly guidance guide had half has have heap heard help here high highest highly host how however http https huge hunters hunting hunting|attack hunting” identified identify ids/ips ignacio impactful impair implemented implementing important improve improved improving inaccurately inbound incidents include include: including inclusion incorporation incorrect increased increasing indicate indicates indicative indicators individual info information informational: inherently initial initially initiative injection injections innovate insight instance instead integrity intelligence intensive intent intent” interacts interest internal internally introduced introduces intrusion intrusions invaluable investigated investigating investigations investment involved involves ioc isolate isolated isolating issue iteration its itself just keep key keywords kit knowledge known landscape large latest left legacy level leveraging libraries light likelihood likely limitations limited localport=3389 localport=3389/mi logic long look losing low made maintaining major major: majorit |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.