Corelight Investigator accelerates threat hunting
This morning we announced Corelight Investigator, an open NDR platform that enables security teams with next-level evidence. Here is how it works.
It was time to write another book.
That’s what I thought when I heard that Corelight wanted to update its 2021 book on network detection and response (NDR). Tamara Crawford, who owned the project, scheduled a meeting with me and asked if I might be interested in helping, depending on who might write the text.
I volunteered immediately to write the whole book, but I had a few conditions. The text had to be at least 100 pages long, because 100 pages is my personal dividing line between “book” and “white paper.” I needed the freedom to cover the topics I wanted to address, and to not be told what to write. I wanted to show the four network security monitoring (NSM) data types working in a vendor-neutral manner, with technical details. Finally, I knew this project would take several months to research, write, lay out, proofread, and complete. Once Corelight agreed, I was ready to begin.
My goal for the book was to show how high-fidelity network evidence can power successful incident detection and response operations. For decades, digital security relied on the flawed premise that the “right” security controls could stop malicious activity. History, however, has repeatedly shown that prevention eventually fails. Victory belongs to the defender who accepts that intrusions are inevitable and who implements aggressive post-compromise interdiction and containment.
Security teams have the best chance to stop an adversary before they accomplish their mission when they leverage network security monitoring data and the latest AI and automation assistants. Therefore, this book equips practitioners with the tools and mindsets necessary to hunt through network evidence and diminish attacker dwell time.
The book begins with a chapter that defines risk, threat, vulnerability, and asset value in the context of cybersecurity. It explains seven risk management strategies, NDR’s role in the security cycle, four sources of situational awareness, the importance of time and how to measure it, and a variety of NDR-specific topics like where and how to monitor, costs vs. benefits, and the difference between NSM and NDR.
Chapter 2 is all about the four types of NSM data. I show examples of full content data via terminal and graphical interfaces, and what it can do for analysts. I briefly demonstrate how to obtain and analyze extracted content, then show how transaction data can answer many of the key questions asked by security analysts. The chapter concludes with alert data, which has become more significant in an age of smarter and more precise AI capabilities.
Chapter 3 is the first of two chapters demonstrating workflows for security investigators. This chapter examines how alert data from a sufficiently capable NDR can identify suspicious and malicious activity. It includes four cases, showing how lateral movement, expired SSL certificates, outbound reconnaissance, and malicious remote desktop protocol behavior manifest in alerts.
Chapter 4 presents the other side of investigative workflows, relying on threat hunting to reveal adversary activity. Properly collected, rendered, and displayed NSM data is crucial, because you can’t really hunt without high-quality evidence. The chapter includes six cases, showing how file name mismatches, unusual downloads, large data transfers, coordinated exfiltration, lateral movement, and certificates appear when exposed via threat hunting.
Chapter 5 explores how artificial intelligence and automation technologies are bringing powerful new capabilities to security teams. I start by discussing the generation of alerts at the edge and at the center, then I share how AI can help with investigating suspicious and malicious activity. I conclude with advice on the best use of agentic triage and how AI will integrate with tools while enabling new capabilities.
If you’re a security leader, such as a CISO or director, you’ll probably be most interested in Chapters 1 and 5. You should ensure your teams have the data described in Chapters 2-4. If you’re a security analyst, you’ll probably be most interested in Chapters 2-4, although you should be familiar with the concepts and strategies in Chapters 1 and 5. If you’re familiar with my previous works, you will be happy to see that this book has a certain amount of “future-proofing” embedded. I did not explain how to install any specific tools, nor did the tools I use rely on strict display technologies. All of the examples in Chapter 2 use open source tools with stable outputs, such as Tshark, Wireshark®, Zeek®, and Suricata®.
I hope readers find the book relevant to their security work and a decent introduction to adding NSM data from capable NDRs to their investigations. This book is only the beginning of what can be done once teams have access to high-fidelity network evidence. If you’d like to know more about the book, Vince Stoffer interviewed me for the Corelight podcast, and that episode will be available on YouTube, Spotify, and Apple Podcasts. As I say at the end of every episode, “we will see you on the network.” Read NDR Essentials to learn how high-fidelity network evidence can strengthen your security program!
This morning we announced Corelight Investigator, an open NDR platform that enables security teams with next-level evidence. Here is how it works.
Corelight's YARA integration helps organizations increase detection rates, improve network visibility, and reduce false positives.
Learn about the attributes of high-quality evidence. What should evidence look like, in order to be useful to defenders when the next security event...