Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

How Can Kill Webs Change Security Thinking?

By Richard Bejtlich – September 21, 2023

In my previous article, I proposed ways that modern network-derived evidence applies to the cyber kill chain—a concept created by Eric Hutchins, Michael Cloppert, and Rohan Amin that changed how security teams approach defending their digital... Read more »

How Does the Kill Chain Apply to Network-Derived Evidence?

By Richard Bejtlich – September 12, 2023

When Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin published their paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” in late 2010, they changed the way security... Read more »

Network evidence for defensible disclosure

By Richard Bejtlich – May 5, 2022

Editor's note: This is the second in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here. Read more »

Mixed VLAN tags and BPF syntax

By Richard Bejtlich – August 26, 2020

This post contains a warning and a solution for anyone using BPF syntax when filtering traffic for network security monitoring. Read more »

Network Security Monitoring data: Types I, II, and III

By Richard Bejtlich – July 7, 2020

Some critics claim that ever growing encryption renders network security monitoring useless. This opinion is based on a dated understanding of the types and values of data collected and analyzed by computer incident response teams (CIRTs) that... Read more »

The election is six months away. Now is the time to instrument election infrastructure.

By Richard Bejtlich – May 6, 2020

Editor’s Note: Richard recently shared his thoughts on our blog which are now included in an article contributed to StateTech on why the overarching role of the network and election infrastructure is worthy of a deep assessment right now. If state... Read more »

Enabling SOHO Network Security Monitoring

By Richard Bejtlich – April 7, 2020

One of the most popular and regularly occurring questions I see in network security monitoring forums involves how to instrument a small office – home office (SOHO) environment. There are ways to accomplish this goal. For example, I instrument my... Read more »

Using Corelight and Zeek to support remote workers

By Richard Bejtlich – March 24, 2020

Due to the tragic Covid-19 pandemic, as we are all experiencing first hand, most governments and health officials are either mandating or encouraging those who can work from home to do so, as part of widespread “social distancing” measures. Remote... Read more »

Countering network resident threats

By Richard Bejtlich – February 19, 2020

Vendors often claim that their products or services counter, mitigate, or otherwise affect “nation state threats.” When I worked as a director of incident response at one company, and as a chief security officer at another, claims like these made no... Read more »

12 talks to see at RSA 2020

By Richard Bejtlich – February 9, 2020

RSA 2020 is fast approaching, and a colleague asked what talks I planned to attend. As I am not attending RSA, I thought I would answer her question anyway, with the hopes that those participating in the conference might benefit from my review of... Read more »