Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Day 1 detection: CVE-2020-0601, a community, and 40 lines of code

By Richard Bejtlich – January 16, 2020

On Tuesday, Jan. 14, 2020, the world learned of the vulnerability du jour, CVE-2020-0601. As explained by Microsoft, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)... Read more »

Light in the darkness: New Corelight Encrypted Traffic Collection

By Vince Stoffer – November 19, 2019

This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS... Read more »

New Corelight app for Splunk: Making network-based threat hunting easier

By Ed Smith – November 18, 2019

Want to use Zeek (formerly Bro) network data in Splunk ES, but don’t know how to start or where to look? Read more »

A network engineer in a Zeek Week world

By Sarah Banks – November 4, 2019

With almost two decades of networking experience, I recently made my first foray into a security-centric user conference at Zeek Week, an annual conference for the user community of the open source network security monitoring platform known as Zeek... Read more »

No tap? No problem!

By Richard Bejtlich – October 21, 2019

Recently a fan of network security monitoring (NSM) asked me for advice on his current instrumentation situation. He said his organization was new to NSM and was interested in pursuing solutions with Corelight. However, the company did not have any... Read more »

Using Corelight to monitor and identify exploited VPNs

By Richard Bejtlich – October 1, 2019

Network and security infrastructure, such as routers, switches, firewalls, virtual private network concentrators, and other equipment, are designed to provide a stable and secure communications experience for client and server computers and their... Read more »

An attack or just a game? Corelight can help you tell the difference quickly

By Richard Bejtlich – September 11, 2019

When we think about using Corelight data, our mental models often fixate on finding evidence of suspicious and malicious activity. This makes sense, as network security monitoring data generated by Corelight and Zeek combines the granularity of... Read more »

Don’t delay – Corelight today!

By Richard Bejtlich – July 31, 2019

Introduction Recently I heard that a company interested in Corelight was considering delaying their evaluation because of questions about SIEM technology. They currently have two SIEMs and are evaluating a third, possibly to replace the first two.... Read more »

What did I just see? Detection, inference, and identification

By Richard Bejtlich – July 29, 2019

In the course of my network security monitoring work at Corelight, I’ve encountered the terms detection, inference, and identification. In this post I will examine what these terms mean, and how they can help you describe the work you do when... Read more »

Profiling Whonix

By Richard Bejtlich – July 17, 2019

Introduction This week I read a story announcing that the latest edition of Whonix had been released. I had heard of Whonix, but had never tried it. I knew it was a Linux distribution that tried to make it as easy and safe as possible to anonymize... Read more »