Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Black Hat NOC USA 2023: A tale of sharp needles in a stack of dull needles

By Ben Reardon – September 15, 2023

During Black Hat 2023 in Las Vegas, our Corelight team worked effectively and speedily with our first-rate Black Hat NOC partners Arista, Cisco, Lumen, NetWitness and Palo Alto Networks. I was fortunate enough to be a member of the NOC team at the... Read more »

How Does the Kill Chain Apply to Network-Derived Evidence?

By Richard Bejtlich – September 12, 2023

When Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin published their paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” in late 2010, they changed the way security... Read more »

Detecting Storm-0558 using Corelight evidence

By Chris Brown – August 1, 2023

While there have been many intrusions, compromises, breaches, and incidents that have made news in the IT and InfoSec industries throughout 2022 and into this year, when events or threats like Storm-0558 gain coverage by mainstream media, we often... Read more »

Lessons Learned Deploying Corelight in the Black Hat Asia NOC

By Dustin Lee – June 12, 2023

Last month, Corelight had the distinct privilege of joining Cisco, NetWitness, Palo Alto Networks, Arista, and our internet service provider, MyRepublic, to provide availability and network security overwatch to the Black Hat Asia network in... Read more »

Corelight launches the Entity Collection

By Vince Stoffer – December 13, 2022

Corelight Labs, our amazing research team, has been hard at work on another content collection which we are excited to introduce: the Corelight Entity Collection. Read more »

Replace IDS and extend entity visibility

By John Gamble – December 8, 2022

Today, as a part of our v27 software release, we are launching enhanced IDS rules management functionality, extending analyst visibility around hosts, devices, users, and more, and upgrading the Corelight Software Sensor to give customers more NDR... Read more »

Detecting Log4j via Zeek & LDAP traffic

By Corelight Labs Team – December 16, 2021

We recently discussed some methods for detecting the Log4j exploit, and we’ve now developed another method that everyone running Zeek® or a Corelight sensor can use. Our new approach is based on the rarity of legitimate downloads of Java via LDAP.... Read more »

Simplifying detection of Log4Shell

By Corelight Labs Team – December 14, 2021

Security workers across the world have been busy since last Friday dealing with CVE-2021-44228, the log4j 0-day known as Log4Shell, that is already being heavily exploited across the Internet. Given the huge number of systems that embed the... Read more »

Corelight & Microsoft Defender for IoT: Through an XDR lens

By Brian Dye – November 16, 2021

What is the XDR paradox? It’s the hottest term in security but there is no consensus yet on the right definition. Why is that? Many organizations have deployed EDR and are benefiting from it, but also looking to the gaps that EDR can’t address such... Read more »

Detecting CVE-2021-42292

By Corelight Labs Team – November 10, 2021

On its surface, CVE-2021-42292 doesn’t look like the kind of vulnerability that a network-based tool can find reliably. Marked by Microsoft as a local file format vulnerability, security veterans would expect that between encryption and encoding,... Read more »