This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS certificates, and insights into encrypted network sessions.
SSH Inferences
The first package focuses on SSH inferences. With a few clicks the following features can be enabled on the Corelight sensor to provide network traffic analysis (NTA) inferences on live SSH traffic. SSH can be used in many different ways including transferring files, executing a single command, or providing an interactive terminal. Certain features trigger a notice or alert to enable a rapid response. Additionally, for data enrichment, each category will notate the specific types of usage seen for each SSH connection. These will be included in a newly created field in the SSH log called inferences.
- Alert on a client authentication bypass attempt – This approach may be useful for identifying some types of zero-day exploits: This can occur when a client exploits a server or when a client and server switch to a protocol other than SSH once encryption begins.
- Detect SSH scanning – Detect scanning or discovery of SSH servers from internal or external hosts: A client exchanged began negotiations or requested version strings or capabilities with a server but then disconnected.
- Identify port-forwarding (tunneling) and client file transfers (uploads and downloads) – This can highlight illicit data transfers or tunneling around corporate security policies: A port-forwarding session where the client tunneled traffic over the SSH connection or a file transfer occurred during the session where the client sent a sequence of bytes to the server or vice versa.
- Identify keystrokes – While not necessarily malicious, after whitelisting known administrators this could be used to flag interactive adversary behavior: Flag an interactive session where the client sent keystrokes to the server. Also includes a client typed command counting field which provides an approximate command_count field in the SSH log and could highlight anomalous behavior (running many commands or few commands but persisting over a long duration).
- Client Bruteforcing – Detect attempts at unauthorized access or internal service discovery: A client was seen attempting to authenticate more than some configured threshold or a client was seen attempting to authenticate more than some configured threshold and then successfully authenticated.
Corelight security researcher Anthony Kasza describes the SSH Inferences Package in greater technical detail on the blog this week as well.
TLS Certificate Hygiene
Another package included in the Encrypted Traffic Collection helps to monitor and alert on SSL/TLS certificate policies including:
- Identifying the use of self-signed TLS certificates – Monitor the network for self-signed certificates which (after whitelisting benign internal services) could indicate the presence of services with default configurations or even malicious applications and services.
- Identifying the use of newly issued and soon to expire TLS certificates – Find certificates which have just been created (might indicate a new service or an unexpected change to a service) and monitor certificates which are approaching expiration or are expired, which can help streamline operations and keep critical applications secure.
- Identifying the use of vulnerable TLS settings – Alert on outdated cipher suites, identify weak keys, and maintain visibility into the distribution of TLS versions being used across your network to quickly track and remediate potentially vulnerable services.
Tunable configuration options
What may be worth an analyst’s attention at one site may be normal behavior at another. This is one of the core tenets of Zeek’s policy neutral event system. By exposing tunable knobs to customers you get to decide what is worth turning on or being notified about. Both the SSH and TLS packages provide options for controlling notices, disabling specific features, and tuning away noise from false positives.
Futures
While our plans are subject to change, in the following software release (v19) we plan to fill out this Encrypted Traffic Collection with additional packages and features including generalized interactive session detection and more. We look forward to sharing even more of the great work from Corelight Labs in the future.
Vince Stoffer - Senior Director, Product Management, Corelight