CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Together is faster: Zeek for vulnerabilities

“There is an open approach that is currently rippling across the infosec industry that could give defenders the acceleration they need.” – John Lambert (Distinguished Engineer, Microsoft) 

I love this quote. It perfectly describes the impact network defenders can achieve by pooling resources, insights, and techniques. 

In his influential essay on the ‘Githubification of InfoSec’, John Lambert explores the growing ecosystem of open SOC tools, highlighting the impact of Sigma, MITRE ATT&CK™, and Jupyter notebook. The most interesting tools in this ecosystem are also extensible platforms that facilitate the efficient exchange of knowledge. They tend to gather communities around them, and gain energy from those communities. 

Another powerful tool that fits this pattern is Zeek. If you haven’t followed the Zeek project recently, it’s enjoyed remarkable growth in the past few years – becoming the acknowledged ‘gold standard’ for processing and analyzing network traffic, usually for the purpose of network defense. 

Zeek has many virtues. One of the coolest is allowing defenders to prototype and deploy lightweight detection scripts quickly. It’s also well suited for behavioral detection, when simple pattern-matching isn’t enough. These two features make Zeek a great platform for rapid response to critical network attacks.  

How about some evidence of this?  

Over the past six months, the Zeek community has responded admirably to a series of widely-publicized vulnerabilities, generating high-quality open source detections and making them available to every Zeek user worldwide: 

 

F5 Big IP (CVE-2020-5902)

https://github.com/corelight/CVE-2020-5902-F5BigIP

Ripple20 vulnerability family 

https://github.com/corelight/ripple20

GnuTLS (CVE-2020-13777) 

https://github.com/0xxon/cve-2020-13777

Call Stranger (CVE-2020-12695)  

https://github.com/corelight/callstranger-detector

Curveball (CVE-2020-0601)

https://github.com/0xxon/cve-2020-0601

SIGRed (CVE-2020-1350) 

https://github.com/corelight/SIGRed

All of these scripts, tests, and documentation represent a lot of sharing. They’re also strong evidence of Lambert’s proposition above. And the vulnerabilities addressed are serious,  collectively impacting hundreds of millions of Internet hosts – or more.   

A few other points are worth emphasizing. First, the Zeek community responded quickly in each case, sometimes within hours of the announced vulnerability. Second, authors continued to refine their detections as more information became available (and as more PCAPs were shared… another beneficial pattern). Third, these scripts are not difficult to understand. If you’ve done a bit of scripting before, you can pick up the domain-specific Zeek language rapidly – and there’s a nice training platform to help you. You can  follow the logic of these scripts and potentially improve them without a lot of trouble.  

Zeek is a platform, a language, a de-facto standard, and above all, a vibrant and growing community of defenders. The project website and public Slack channel are great places to start learning.  

If you are a community-oriented defender, you may find it fun and inspiring to participate in one of the open SOC projects mentioned above. I’m a Zeek person myself, but there are many other great tools to explore. Have fun! And enjoy the satisfaction that comes from making a global impact.  

As John Lambert described, there is indeed an ‘open approach rippling across the infosec community’. May it turn into a mighty wave.

 

Recent Posts