Read the Gartner® Competitive Landscape: Network Detection and Response Report
Read the Gartner® Competitive Landscape: Network Detection and Response Report
START HERE
WHY CORELIGHT
SOLUTIONS
CORELIGHT LABS
Close your ransomware case with Open NDR
SERVICES
ALLIANCES
USE CASES
Find hidden attackers with Open NDR
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
September 14, 2020 by John Gamble
This summer, Corelight hosted a virtual CTF tournament where hundreds of players raced to solve security challenges using Zeek data in Splunk and Elastic. After the preliminary rounds, we invited the top performers back for a champions round and crowned the tournament winners.
Missed the tournament? You can still sign up to compete in one of Corelight’s bi-monthly CTF games here: https://www3.corelight.com/ctf/hunt-from-home.
Here are the winners of Corelight’s summer CTF tournament:
How did you hear about Corelight CTF?
Vlad Sokol from Corelight reached out to me about it to share it with the OSU Security Club.
Can you tell us about your security background?
I am about to go into my senior year of undergrad at Oregon State University, studying CS with a focus on cybersecurity. I’ve worked in the cybersecurity field since 2014/2015 with a couple of internships in high school and I’m currently working in the SOC at OSU as a student team lead on the network security and monitoring team.
Did you have prior experience with Zeek?
Yes! We have a large Zeek cluster monitoring a 100 Gigabit pipe on campus that’s been running for 4-5 years. And I went to Brocon when they announced the project name change to Zeek. I have lots of opportunities to do cool things with Zeek at work, which is a lot of fun. It’s an awesome tool, and I love using it. I have also been running it on my home network, and I’ve written some Zeek scripts and plugins as well.
How would you describe the security value of Zeek?
Zeek allows you to get tons of really good data about your network without having to do full PCAP, so you don’t have to have petabytes of disk space set aside. It’s also a good way to protect user privacy, especially in the university environment. Zeek allows us to reach a good middle ground where we can do our job effectively to identify security threats in the environment, but students are able to maintain privacy. It’s one thing I really, really like about Zeek.
How would you compare Zeek vs. PCAP or Netflow as a security datasource?
We use Zeek in conjunction with other types of log data, but when I look at Zeek data I already have the netflow data, DNS data, etc. Zeek also has the SSL log, which is awesome, especially if you’re using JA3. The only time I have to drill into application logs (beyond Zeek) is for HTTPS traffic since I don’t get that URI or host information. It’s rare that I find myself looking at Zeek logs and thinking “oh I wish I had more information”. All of the Zeek protocol analyzers are really well fleshed out. There are only rare instances where I find myself wishing I had the full PCAP. For 99 percent of the time, Zeek logs are awesome (and PCAP is not needed).
The Zeek SSL log proves a lot of good information about certificates and encrypted traffic seen over the wire and provides information so you can pivot to find good versus bad traffic. JA3, the Zeek package written by John Althouse and his team at Salesforce, performs additional fingerprinting on SSL traffic and they also provide a list of known fingerprints. For example, Firefox 78 on Windows has this specific JA3 hash and so if you see that hash in your traffic you can assume it’s a benign client and not something that requires further investigation. If you see a weird JA3 has or something the community has identified as bad, like a Cobalt Strike C2 certificate, then that hash is something you can easily drill down on even though the traffic is encrypted. There are tons of metadata still being exposed in encrypted traffic that Zeek collects and analyzes.
How did you hear about Corelight CTF?
I was invited by a friend. I’ve been participating in CTFs almost weekly now, especially in the last couple of months because there are so many online events. I really enjoy CTFs. Most of them I try to do in team format. Corelight’s was quite fun.
Can you tell us about your security background?
I don’t have a formal cybersecurity background. I am a physicist and nanotechnology engineer, but I’ve been taking some security classes in recent years as cybersecurity and security have been a hobby of mine. This year I started my first job in cybersecurity.
Did you have prior experience with Zeek?
I did not have any prior Zeek experience before the Corelight CTF Tournament. Before the tournament I had to study for the final round and I took some time to learn Zeek and the syntax. I also started looking up things like JA3, which is new to me and I find really interesting. I know enough about cryptography, but I did not know about JA3 and it’s very useful.
JA3 together with the HAASH convert a lot of different data points into a single string that should be unique and makes connection fingerprints “human readable”. The concept of fingerprinting has existed for a long time, but I think it’s a really useful feature here. It’s not a 100 percent reliable as there are some edge cases, but for general analysis it’s going to be really fast to make some impressions based on JA3/HASSH fingerprint analysis.
How would you describe the value of Zeek data?
I really liked how intuitive it was and I was impressed how it was possible to make assumptions based on analyses of the data. The inferences that were added by Corelight (Encrypted Traffic Collection) where you could analyze the traffic behaviors and add that on to the dataset makes it more intuitive for an analyst to see what’s happening. That’s quite impressive and something I really like about it. Zeek has a fairly natural syntax, and it’s quite fast to learn. I think it’s really useful in practice.
How did you hear about the Corelight CTF?
A coworker of mine sent it through Slack. Another former coworker had heard of you guys and was trying to push management to purchase equipment from you guys.
Can you tell us about your security background?
Most recently, I was a SIEM engineer at Norfolk Southern Company. This included everything from the designing of the infrastructure to the actual implementation and onboarding of several data sources. My security passion lies in penetration testing as I spend a lot of time playing CTFs and breaking vulnerable machines and VMs and such. I just like the competitive nature (of CTFs) and the learning aspect. I strive to learn something new everyday.
Editor note: You can find him on LinkedIn here: https://www.linkedin.com/in/aunermoncada/
Did you have prior experience with Zeek?
Yes, I’ve worked with Zeek log data as a security analyst, using Sguil to comb through Zeek datasets.
How would you describe the security value of Zeek?
The output of Zeek is a lot of valuable information. It’s easily digestible for analysts to search through, correlate via connection IDs and get to the point of being able to identify a threat or malicious activity.
How would you compare Zeek vs. PCAP or Netflow as a security datasource?
Zeek has a way of summarizing information, but also presenting enough information so you can quickly comb through and correlate. Unlike PCAPs, with Zeek you don’t have to spend time filtering out too much information and you can paint the picture of what happened. Netflow? It tends to summarize information a bit too much.
Tagged With: Zeek, DNS, PCAP, ja3, open source community, Announcements, Splunk, ssl.log, Elastic, Cobalt Strike C2, CTF, Capture the Flag