June 10, 2019 by Vince Stoffer
Corelight just released our v17 software release and it’s packed with a number of cool new features including the Input Framework, Community ID, and MITRE’s BZAR collection of detections for lateral movement. Let me share a few details about how these new features can enhance your data, speed up your IR workflow, and provide detections around malicious Windows traffic.
Consider for a moment the power of name tags. Imagine you’re at a big security conference and wandering around the room full of startups showing off their blockchain-enabled AI/ML whirligigs. Imagine if nobody was wearing a name tag. You would see a lot of people and have some clues about who they are, but without name tags you’ve lost some content that allows you to connect each person with a name, a company, a technology, and a place. You can think of the power to enrich and augment your Corelight data like the power of the name tags at the security conference. Without the label or enrichment you still get extremely rich data to help your investigations, but it’s always helpful to identify things faster. For example, to find out whether an internal IP address is coming from the engineering department or the CEO’s office you might have to do a lookup in your inventory database. Or you might want to know if a particular email account seen in your Corelight SMTP logs is active or never existed, and you’d have to go to a couple different data sources to determine that.
Now with Corelight support for the Zeek Input Framework you can take any sort of structured data and use it to dynamically update content within your packages, data structures, or system variables. There’s an easy way to push files to the Corelight sensor, and a pane in the web UI to manage those files. The files can be referenced by multiple packages so you could, for example, have a daily updated list of the Alexa top 1000 websites and use that as a whitelist against certain detections. Or, as I mentioned above, you could pull in inventory information to augment the conn log with security classification, machine owner, or anything else that’s important to accelerate your investigation. Having the ability to quickly and dynamically update this kind of information (with no restarts) is a powerful way that Corelight gives you better data localization tuned to your specific environment, and it’s now available as part of the v17 release.
Once the data is created and you’re doing investigations within your SIEM or analytics tools there’s another problem that often slows down investigations: correlating information between different security tools. The “5-tuple” (which in this context consists of src address, src port, dst address, dst port, and protocol) is the primary way to identify a bidirectional network connection. Corelight’s own Christian Kreibich wrote a specification called “Community ID” (https://github.com/corelight/community-id-spec) which creates a hash of the 5-tuple, essentially turning those five fields into a single hash value. Zeek, Corelight, Suricata, Moloch, Elastic, and others already support generating the Community ID, and once your tools are all generating a common hash for all network connections, it’s easy to correlate specific connections across all of those tools. Say, for example, your Suricata sensor fires an alert. You can take the Community ID hash generated by Suricata and do a quick search in your SIEM for the corresponding Corelight Zeek data, or pivot to PCAP. Your IR workflow is simpler and faster by working through a common value, rather than five different fields, and your team gets more value out of all your tools. Now Community ID is part of Corelight’s default packages, and can be easily enabled whenever you’re ready to use it. Please use it, and encourage all of your technology partners to adopt it as well!
Last but not least, you’ve probably heard the buzz around MITRE’s ATT&CK framework. It’s a fantastic way to structure attacker TTPs into categories to help guide your risk analysis and map tool coverage. It’s been primarily focused on endpoint indicators, however, as we all know most attacks begin over the network. That’s why some smart folks at MITRE developed and published a set of network detections called BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting – https://github.com/mitre-attack/car/tree/master/implementations/bzar).
The reporting component is a number of detections (primarily based around the common Windows protocols SMB and DCE/RPC) for indicators like lateral movement, file access, credential access, evasion and more. The analytics component takes aggregations of these simple indicators and uses statistical analysis (using sumstats) to generate notices for specific types of malicious behavior like discovery, execution, and copying files.
The BZAR package is now included on Corelight sensors and can be enabled with a simple radio button and modified by options in the UI. This will provide our customers with an amazing suite of detections for East-West traffic and it’s an important part of our continuing focus on providing relevant Zeek detection content. It’s also a great example of how the vibrant Zeek community is able to deliver new ideas and innovation that benefits everyone.
I hope you enjoyed this quick peek into v17 and there’s one more thing…keep your eyes open for a big product announcement later this month, we can’t wait to break the news as soon as the time is right. Until then, as always, please send us your thoughts or questions about the release or anything else!