Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Together Is Faster: Zeek for Vulnerabilities | Corelight

Written by Gregory Bell | Aug 18, 2020 4:00:00 AM

“There is an open approach that is currently rippling across the infosec industry that could give defenders the acceleration they need.” – John Lambert (Distinguished Engineer, Microsoft) 

I love this quote. It perfectly describes the impact network defenders can achieve by pooling resources, insights, and techniques. 

In his influential essay on the ‘Githubification of InfoSec’, John Lambert explores the growing ecosystem of open SOC tools, highlighting the impact of Sigma, MITRE ATT&CK™, and Jupyter notebook. The most interesting tools in this ecosystem are also extensible platforms that facilitate the efficient exchange of knowledge. They tend to gather communities around them, and gain energy from those communities. 

Another powerful tool that fits this pattern is Zeek. If you haven’t followed the Zeek project recently, it’s enjoyed remarkable growth in the past few years – becoming the acknowledged ‘gold standard’ for processing and analyzing network traffic, usually for the purpose of network defense. 

Zeek has many virtues. One of the coolest is allowing defenders to prototype and deploy lightweight detection scripts quickly. It’s also well suited for behavioral detection, when simple pattern-matching isn’t enough. These two features make Zeek a great platform for rapid response to critical network attacks.  

How about some evidence of this?  

Over the past six months, the Zeek community has responded admirably to a series of widely-publicized vulnerabilities, generating high-quality open source detections and making them available to every Zeek user worldwide: 

 

F5 Big IP (CVE-2020-5902)

https://github.com/corelight/CVE-2020-5902-F5BigIP

Ripple20 vulnerability family 

https://github.com/corelight/ripple20

GnuTLS (CVE-2020-13777) 

https://github.com/0xxon/cve-2020-13777

Call Stranger (CVE-2020-12695)  

https://github.com/corelight/callstranger-detector

Curveball (CVE-2020-0601)

https://github.com/0xxon/cve-2020-0601

SIGRed (CVE-2020-1350) 

https://github.com/corelight/SIGRed

All of these scripts, tests, and documentation represent a lot of sharing. They’re also strong evidence of Lambert’s proposition above. And the vulnerabilities addressed are serious,  collectively impacting hundreds of millions of Internet hosts – or more.   

A few other points are worth emphasizing. First, the Zeek community responded quickly in each case, sometimes within hours of the announced vulnerability. Second, authors continued to refine their detections as more information became available (and as more PCAPs were shared… another beneficial pattern). Third, these scripts are not difficult to understand. If you’ve done a bit of scripting before, you can pick up the domain-specific Zeek language rapidly – and there’s a nice training platform to help you. You can  follow the logic of these scripts and potentially improve them without a lot of trouble.  

Zeek is a platform, a language, a de-facto standard, and above all, a vibrant and growing community of defenders. The project website and public Slack channel are great places to start learning.  

If you are a community-oriented defender, you may find it fun and inspiring to participate in one of the open SOC projects mentioned above. I’m a Zeek person myself, but there are many other great tools to explore. Have fun! And enjoy the satisfaction that comes from making a global impact.  

As John Lambert described, there is indeed an ‘open approach rippling across the infosec community’. May it turn into a mighty wave.