Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Profiling Whonix

By Richard Bejtlich – July 17, 2019

Introduction This week I read a story announcing that the latest edition of Whonix had been released. I had heard of Whonix, but had never tried it. I knew it was a Linux distribution that tried to make it as easy and safe as possible to anonymize... Read more »

Investigating the effects of TLS 1.3 on Corelight logs, part 2

By Richard Bejtlich – June 2, 2019

Introduction Welcome to part 2 of my three-part series on TLS. In the previous article I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. In this article I will perform the same transaction using TLS... Read more »

Investigating the effects of TLS 1.3 on Corelight logs, part 1

By Richard Bejtlich – May 28, 2019

Introduction I’ve written previously about Corelight data and encryption. I wanted to know how TLS 1.3 would appear in Corelight data, and compare the same network conversation over clear-text HTTP, TLS 1.2, and TLS 1.3. In this first of three... Read more »

How to use Corelight and Zeek logs to mitigate RDS/RDP vulnerabilities

By Richard Bejtlich – May 22, 2019

Introduction On May 14 Microsoft released patches for, and details about, a remote code execution vulnerability in Remote Desktop Services (RDS), the graphical interactive desktop offered with most Windows operating system platforms. This... Read more »

Network Security Monitoring, a requirement for Managed Service Providers?

By Richard Bejtlich – May 20, 2019

Over the last six months, we’ve read in the security press about a variety of managed service providers (MSPs) being compromised by nation-state and criminal actors. Some examples: Read more »

Is there a ‘Z’ in “Vectra”?

By Vern Paxson – May 20, 2019

Having worked on Zeek (Bro) for well over two decades now, it’s hugely gratifying – and frankly still somewhat amazing – to see how widely it is used in today’s enterprises. Zeek’s real-time analysis capabilities, extensible scripting,... Read more »

How Zeek can provide insights despite encrypted communications

By Anthony Kasza – May 6, 2019

Overview Encrypted communications are ubiquitous. While encryption provides confidentiality, it cannot prevent all means of traffic analysis. Certain protocols, such as SSH and TLS, ensure contents are not directly readable by monitoring systems.... Read more »

Zeek is much more than a data format

By Gregory Bell – April 23, 2019

Last week, a candidate for a senior role at Corelight explained his motivation for joining the company this way: “the world is standardizing on Zeek.” Read more »

Mission First, People Always.

By Amber Graener – April 8, 2019

I’d like to take a moment and introduce myself. I’m Amber Graner, and I’m excited to join Corelight, Inc as the Director of Community for the Zeek project. Read more »

Is IPS a feature or a product?

By Richard Bejtlich – April 1, 2019

This post is a departure from previous editions. It is inspired by discussions I’ve had recently with a few different online and in-person communities. I will present my view on the topic, but I’m more interested in hearing what readers think! Read more »