In today's rapidly evolving cybersecurity landscape, organizations face unprecedented challenges. Cyber threats are not only increasing in volume but are also becoming more sophisticated and evasive, using AI themselves to enhance their attacks. The attack surface has expanded dramatically, while Security Operations Centers (SOCs) are often left with fewer resources to combat these growing threats. Recent advisories, such as the CISA alert on state-sponsored actors like Salt Typhoon, highlight the urgent need for enhanced detection capabilities against highly persistent and evasive threats targeting critical infrastructure. The Verizon DBIR 2025 report reveals a significant shift in breach entry points for 2024. Exploitation of edge devices and VPNs, often hidden from typical security measures like EDR, surged as the fastest-growing method. This category jumped from 3% to 22% of breaches year-over-year. To address these vital issues, Corelight is announcing significant enhancements to our evasive threat detection capabilities, consisting of improvements to AI-powered threat detection capabilities (new anomaly detection and supervised ML models) and east-west (lateral movement) traffic analysis. This new release also includes improvements to Command and Control (C2) detection and brute force attack detection. These advancements are core to improving the detection of evasive threats, allowing organizations to protect their critical assets more effectively, and will be available in our upcoming 28.4 software release.
Anomaly detection enhancements
Part of our core multi-layered threat detection offering, Corelight's industry-leading anomaly detection capabilities have been improved to identify additional deviations from normal network behavior. This new release focuses on improvements to discovering anomalous and unusual server-based traffic. These types of behaviors are often missed by traditional signature-based detection, which often fails to detect novel or polymorphic threats in server-based traffic. Our evidence-first approach starts with feeding the best data to the newly enhanced anomaly detection, leveraging advanced machine learning algorithms to:
- Baseline normal behavior: Continuously learn and adapt to an organization's unique network patterns, establishing a robust baseline of "normal" activity.
- Identify subtle deviations: Detect even the most subtle anomalies that could indicate malicious activity, such as unusual administrative shares, anomalous RDP use, or atypical executable file transfers.
- Reduce false positives: Our system is designed to minimize false positives through continuous refinement and learning, and through the use of peer group modeling. Peer group modeling brings together devices and subnets with similar activities. Anomalous activity is then measured not just against an entity's history, but also against its peer group’s history. If the activity is anomalous to both, an alert is generated. If it's only anomalous to the entity, but not the group, it's likely a benign deviation and no alert is raised. By reducing false positives, SOC teams can concentrate on real threats.
By quickly identifying these and other anomalies, Corelight empowers SOCs to detect evasive threats, including insider threats and zero-day exploits, that might otherwise slip past conventional defenses.
East-west detection enhancements
The rise of hybrid and multi-cloud environments has amplified the importance of east-west traffic (also known as lateral traffic) monitoring. Malicious actors, once inside the network, often move laterally to gain access to high-value assets. Corelight offers unparalleled visibility into east-west traffic, and with this release, enhances evasive threat detection in internal laterally moving network traffic related to Kerberos attacks and configuration:
- Comprehensive internal visibility: This new release provides additional deep insight into communications between servers, applications, and devices within the network. It also looks for misconfigurations, including the use of weak cryptography.
- Lateral movement detection: Identify suspicious lateral movement patterns, such as unusual access to internal systems, sophisticated Kerberos attacks, and exe file transfers within the network.
These enhancements ensure that even if an attacker bypasses traditional defenses, their lateral movements are quickly detected, allowing for swift containment and remediation.
Additional enhancements
These enhancements, along with the addition of new supervised ML models in Corelight Sensor, new C2 detections, and brute force attack enhancements, bolster Corelight's industry-leading ability to detect evasive threats. The new supervised ML and C2 detections include these capabilities:
- Expanded supervised machine learning: Addition of models detecting anonymous network use and malicious SSL certificates in Corelight sensors, with new tuning capabilities to reduce noise and improve signal quality.
- Additional C2 detection: Added C2 detections to identify the unique fingerprints of advanced adversary tools, including Caldera and QuasarRAT, which typically blend into normal HTTPS traffic and evade generic security controls.
Improving evasive threat detection
In a world where attackers are constantly refining their techniques to avoid detection, our advanced capabilities provide:
- Proactive threat hunting: This tool equips SOC teams with the data and insights needed to proactively hunt for threats that have bypassed initial defenses.
- Reduced dwell time: By detecting anomalies and suspicious activities earlier, Corelight helps reduce attacker dwell time, minimizing the potential impact of a breach.
- Optimized SOC resources: With more accurate detections and fewer false positives, SOC teams can optimize their limited resources, focusing on the most critical threats and improving overall operational efficiency.
Conclusion
Corelight's latest enhancements to evasive threat detection, including improvements to anomaly detection, east-west detection (lateral movement), additional new C2, and new brute force attack detections, represent a significant leap forward in combating modern cyber threats. As cyber threats continue to increase in sophistication and evasiveness, and SOCs operate with fewer resources, our commitment to providing cutting-edge detection capabilities ensures that organizations can stay one step ahead. These improvements empower security teams with the visibility and intelligence needed to detect, investigate, and respond to even the most elusive threats, protecting their digital assets and maintaining business continuity.
For more about staying one step ahead of advanced attackers, watch our webinar on detecting evasive threats and download our whitepaper on multi-layered threat detection strategies. To learn more about Corelight's detection capabilities, visit our threat detection webpage.
