CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

C2 detections, RDP insights and NDR at 100G

Today I am excited to announce Corelight’s v21 release, which delivers dozens of powerful C2 detections, extends analyst visibility around RDP connections, and helps organizations scale network detection and response workloads in high throughput environments. 

Detecting C2 threats 

Finding command and control (C2) activity is no easy task. The MITRE ATT&CK framework lists dozens of stealthy C2 techniques, ranging from multilayer encryption to the use of legitimate Web services like Twitter to hide amidst the noise of normal traffic. 

Fortunately, Corelight’s new C2 Collection can give analysts the high ground to see C2 activity with over 50 unique detections and insights built around: 

  • DNS tunneling
  • ICMP tunneling
  • Domain Generated Algorithms (DGAs)
  • HTTP traffic related to known malware families 
  • Meterpreter 

These innovations come from the work of the Corelight Labs team, led by Zeek® creator and Corelight co-founder, Dr. Vern Paxson. Notably, the team researches, develops, and validates Corelight’s insights in live customer production networks that represent some of the largest, most frequently attacked organizations in the world. 

Want to learn more? Register and tune in next Tuesday, May 25th for a SANS and Corelight webcast on the C2 discovery challenge where we’ll cover some of our capabilities here in greater technical depth. 

Register here: https://www.sans.org/webcasts/118810?source=corelight1

Extending encrypted traffic insights 

With our v21 release the Encrypted Traffic Collection grows even larger with the addition of more than a dozen new insights around RDP traffic such as the detection of malicious RDP clients like Crowbar and suspicious log in behaviors that may indicate RDP brute force attacks. 

With these latest RDP additions this collection now provides rich insight around certificates, SSL, SSH, and RDP traffic that gives analysts actionable light in a world of darkness. 

Scaling NDR to 100G and beyond 

Corelight has a solid track record of delivering open NDR sensors based on Zeek that reliably scale in high throughput traffic. With this release we are proud to introduce a new workhorse of our sensor family, the AP 5000, which can deliver a whopping 100G+ of Zeek traffic analysis in a 1U form factor. Compared to typical open source deployments this represents more than a 10x increase in single sensor performance, which means organizations can not only scale Zeek, but also process additional NDR workloads such as Corelight’s C2 Collection and Suricata rules.

 

Recent Posts