February 19, 2020 by Richard Bejtlich
Vendors often claim that their products or services counter, mitigate, or otherwise affect “nation state threats.” When I worked as a director of incident response at one company, and as a chief security officer at another, claims like these made no impact on me. The technical differences among high-end groups have been converging for the last decade. In other words, it’s not like nation state threats use one distinct set of tactics, techniques, and procedures (TTPs), while criminal groups supposedly use another set of TTPs. Furthermore, a phrase like “nation state threats” says nothing about the target of their attacks. All sorts of threat actors attack enterprise environments, industrial settings, consumer devices, cloud infrastructure, and more.
For these reasons, I hesitate to talk about Corelight in terms of what the product can do versus nation state threats. If the threat actor that’s of worry to a prospect or customer is attacking business processes via telephone, or is rummaging through the office trash, or is infiltrating the human resources process to plant employee assets in a company, Corelight is not going to assist with these events.
Rather, Corelight is an indispensable asset for “network resident threats.”
Doing some research on this phrase, I see it has received very little usage, although two Israeli network security start-ups use it in their marketing material. I like the phrase because it captures the location and action of the attacker, namely the network and the fact that they are sticking around for a while. While Corelight helps identify many types of network-utilizing activity, I believe most of our customers derive the greatest value from the records associated with medium-to-long-term threat activity in an organization’s network.
As a network security monitoring platform, Corelight builds on open source Zeek to generate compact, high-fidelity transaction logs for a wide variety of protocols, and can extract file contents and protocol analysis and other details from many types of traffic. Corelight is not an “active” security tool, meaning it does not take direct action to interrupt adversary activity, as might be the case with a firewall or endpoint agent. (It is possible for Corelight to drive systems which can take direct action, via network access control list, for example. However, I’m focusing here on the most common use cases.)
As a passive visibility system, Corelight provides network investigators with the data they need to identify normal, suspicious, and malicious activity. This only works when the adversary is abusing network access, and it is most helpful when the attacker is active for a discernible period of time. Unfortunately, this is almost always the case, as adversary dwell time (the time spent on a network prior to discovery) still lags on the order of weeks and months, and not minutes or hours. In order to find intruders acting on such time scales, and to determine exactly what they are doing, network defenders need the very sort of data that Corelight provides, and can archive in partner SIEM and storage solutions for months, and sometimes years.
This capability applies to any intruder who interacts with an organization’s network, whether that network is on premise, in an industrial setting, in the cloud, or even on the home network of a high-value company asset. Deploying Corelight to those environments, whether as physical hardware, a cloud sensor, or a virtual appliance means defenders can have visibility in all those locations. This visibility applies whether the attacker is a nation state, criminal group, insider threat, or other undesirable actor. For these reasons, anyone worrying about detecting and responding to network resident threats would benefit from the data that Corelight provides.