MSSP Elastic Security Detections

Introduction

Elastic Cloud is a cloud-based managed service that provides a scalable and secure way to deploy Elasticsearch, Kibana, and related technologies. One of Elastic Cloud’s key features is its built-in Elastic Security Detections. These rules are designed to help detect security threats and suspicious activity in your environment. This blog post explains how to enable security detection rules on your Elastic Cloud instances and how they map to the ATT&CK framework. If you are a MSSP consider enabling a baseline of Elastic Security Detections first and then introduce more as you become familiar with the client’s environment.

Enabling Elastic Security detection rules

To enable security detection rules on your Elastic Cloud instance, you first need to access the Elastic Cloud console. After logging in, go to the Security page and click the Detection Rules tab. Here you can enable or disable detection rules or create custom rules. Elastic Cloud has over 100 built-in detection rules covering various security scenarios.

Mapping security detection rules to the ATT&CK framework

The ATT&CK framework is a comprehensive knowledge base of your opponent’s Tactics, Techniques, and Procedures (TTPs). It is widely used in the security industry to help organizations understand the different ways attackers can attack systems. Elastic Cloud’s security detection rules are designed to map various tactics and techniques described in the ATT&CK framework. Let’s look at some examples of Elastic Cloud security detection rules and how they map to the ATT&CK framework.

Suspicious network activity (Tactic: Command and Control)

This rule detects suspicious network activity that could indicate C2 (command and control) traffic. This rule looks for outbound traffic to known C2 servers and unusual traffic patterns that may indicate data exfiltration. This rule corresponds to the command and control tactics of the ATT&CK framework.

Brute Force Attack (Tactic: Access Credentials)

This rule detects brute force attacks against login pages or other systems that require authentication. This rule looks for repeated failed login attempts from the same IP address or user account. This rule maps to a credential access policy in the ATT&CK framework.

Ransomware activity (Tactic: Impact)

This rule detects activity related to ransomware attacks. This rule looks for encrypted file creation, file extension changes, and ransomware notes left on compromised systems. This rule corresponds to the influence tactic of the ATT&CK framework.

Conclusion

Elastic Cloud security detections provide a powerful way to detect security threats and suspicious activity in your environment. By enabling these rules, you can protect your system and data from various attacks. Rules are designed to support the ATT&CK framework and provide a common language for understanding and responding to security incidents. I hope this blog post gives you an overview of how security detection rules are enabled in Elastic Cloud and how they map to the ATT&CK framework.