WATCHEVALUATEENRICHPUNCH (WEEP): A POOR MAN’S SELF-DEFENCE HOST MONITOR
Konrads Smelkovs is a senior manager in KPMG UK and specialises in technical end of cyber-security - attack and defence.
Adrian Sanabria is a Director of Research at Savage Security.
What is it? WatchEvaluateEnrichPunch is a program which monitors a stream of data such as OSQuery’s event stream, does matching and then responds to those alerts by either enriching the data further using other events, commands, Internet for some decision making such as alerting, degrading or destroying of the offensive process.
In spirit it is similar to Snort or any other major IDS for network or OSSEC, fail2ban for hosts. The difference is the ability to enrich and re-inject the data back into event stream as well as the desire for simplicity.
Why have it? Well, at network level, security people have firewalls and IDSes that can be configured with custom IOCs, but at host level there are few tools that allow deployment of simple behavioural rules that address a local problem. For example, you can fight ransomware string with WEEP by detecting a process that has renamed more than 5 docx files to a different extension within 5 minutes Each hitherto unseen process can be perhaps checked through a series of Yara signatures or it’s md5 ran through virustotal.
Of course a sophisticated attacker will evade all of these simple checks, but meanwhile a sysadmin has a tool to fight back.