Corelight expands threat
hunting capabilities with new
encrypted traffic insights
orelight, a leading provider of
network traffic analysis (NTA)
solutions for cybersecurity,
has launched the Corelight Encrypted
Traffic Collection (ETC), empowering
threat hunters and security analysts
with rich and actionable insights for
encrypted traffic. curated packages from the open-source
Zeek community.
“As the use of encryption continues
to rise, defenders need some light in
the darkness to separate legitimate
behaviour from malicious activity when
decryption is not an option,” said
Brian Dye, Chief Product Officer for
Corelight. “This is not simply about
detections, this is about a layering of
data and insights that our customers
need to access in order to make critical
security decisions.” Features, and the relevant MITRE
ATT&CK category each covers, include:
C
Corelight’s ETC expands defenders’
incident response, threat hunting and
forensics capabilities in encrypted
environments by generating insights
around SSH and TLS traffic that indicate
potential security risk. The collection
contains numerous packages developed
by Corelight’s research ream as well as
This collection builds on Zeek’s already
extensive capabilities for analysing
encrypted traffic, such as certificate
metadata, JA3/HASSH fingerprints and
dedicated SSL/x.509 logs.
• SSH client brute force detection:
Supports threat hunting for
access techniques by revealing
when a client makes excessive
authentication attempts
• SSH authentication bypass
detection: Reveals when a client and
server switch to a non-SSH protocol,
a tactic used in access attempts
• SSH client keystroke detection:
Reveals an interactive session
where a client sends user-driven
keystrokes to the server, which may
be an indication of command and
control activity
• SSH client file activity detection:
Reveals a file transfer occurring
during the session where the
client sent a sequence of bytes
to the server or vice versa, which
could indicate either staging or
exfiltration activity
• SSH scan detection: Accelerates
threat hunting for access
techniques by inferring scanning
activity based on how often a single
service is scanned
• SSL certificate monitoring: Extends
Zeek’s existing certificate monitoring
capabilities to help defenders limit
attack surface, find vulnerabilities
and enforce internal policy
• Encryption detection: Accelerate
threat hunting by finding unencrypted
traffic over commonly encrypted
ports/protocols as well as custom/
pre-negotiated sessions
“The Corelight Encrypted Traffic
Collection originated through deep
customer partnerships that have
allowed us access to real world network
environments,” said Dr Vern Paxson,
Creator of Zeek and Co-Founder of
Corelight. “With this data, we can now
offer a collection of insights that will help
to better inform our customers on the
right steps to take in their threat hunting
and in their security incident response.”
www.intelligentciso.com
|
Issue 21
59
The Encrypted Traffic Collection is
available in the Corelight version 18
update. This new version also includes
a new sensor management interface
(UI) that incorporates new features
that make internal compliance reviews
easier and accelerate troubleshooting.
The new UI mirrors the interface used
in the Corelight Fleet Manager product
for multi-sensor environments, making
retraining unnecessary as a customer’s
sensor footprint grows. u