TALK TO AN EXPERT
ad-images-nav_0001_SANs thumb

SANS Protects: The Network

DOWNLOAD WHITE PAPER

ad-images-nav_0009_Threat-hunting-guide

Threat hunting guide

GET THE GUIDE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

ad-images-nav_0000_Thinking-like-a-threat-actor

Thinking like a Threat Actor: Hunting the Ghost in the Machine

WATCH THE WEBCAST

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

ad-nav-video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

C2 detections, RDP insights and NDR at 100G

Today I am excited to announce Corelight’s v21 release, which delivers dozens of powerful C2 detections, extends analyst visibility around RDP connections, and helps organizations scale network detection and response workloads in high throughput environments. 

Detecting C2 threats 

Finding command and control (C2) activity is no easy task. The MITRE ATT&CK framework lists dozens of stealthy C2 techniques, ranging from multilayer encryption to the use of legitimate Web services like Twitter to hide amidst the noise of normal traffic. 

Fortunately, Corelight’s new C2 Collection can give analysts the high ground to see C2 activity with over 50 unique detections and insights built around: 

  • DNS tunneling
  • ICMP tunneling
  • Domain Generated Algorithms (DGAs)
  • HTTP traffic related to known malware families 
  • Meterpreter 

These innovations come from the work of the Corelight Labs team, led by Zeek® creator and Corelight co-founder, Dr. Vern Paxson. Notably, the team researches, develops, and validates Corelight’s insights in live customer production networks that represent some of the largest, most frequently attacked organizations in the world. 

Want to learn more? Register and tune in next Tuesday, May 25th for a SANS and Corelight webcast on the C2 discovery challenge where we’ll cover some of our capabilities here in greater technical depth. 

Register here: https://www.sans.org/webcasts/118810?source=corelight1

Extending encrypted traffic insights 

With our v21 release the Encrypted Traffic Collection grows even larger with the addition of more than a dozen new insights around RDP traffic such as the detection of malicious RDP clients like Crowbar and suspicious log in behaviors that may indicate RDP brute force attacks. 

With these latest RDP additions this collection now provides rich insight around certificates, SSL, SSH, and RDP traffic that gives analysts actionable light in a world of darkness. 

Scaling NDR to 100G and beyond 

Corelight has a solid track record of delivering open NDR sensors based on Zeek that reliably scale in high throughput traffic. With this release we are proud to introduce a new workhorse of our sensor family, the AP 5000, which can deliver a whopping 100G+ of Zeek traffic analysis in a 1U form factor. Compared to typical open source deployments this represents more than a 10x increase in single sensor performance, which means organizations can not only scale Zeek, but also process additional NDR workloads such as Corelight’s C2 Collection and Suricata rules.

 

Search

    Recent Posts