CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Corelight Introduces Command and Control Collection for Targeted Insights and Detections

Company also launches new Corelight AP 5000, the most powerful rack mountable NDR sensor available today

San Francisco, Calif. — May 18, 2021 — Corelightprovider of the industry’s first open network detection and response (NDR) platform, today launched the Corelight Command and Control Collection (C2) empowering threat hunters and security analysts with rich and actionable insights and detections for malware communication.

“Maintaining awareness of attackers and their communication channels is critical to effective network security,” said Vince Stoffer, Senior Director of Product Management for Corelight. “The ability to identify hidden command and control communication gives our customers the signals they need to disrupt the lifecycle of determined attackers. With Corelight’s data and detections, customers can quickly track down malware and attack tools in their networks, remediate them, and then verify that their systems are no longer compromised.”

Corelight’s C2 Collection builds on Corelight’s already extensive capabilities for analyzing malicious network traffic, including encrypted and hidden communication, by identifying C2 channels and techniques that indicate infection and malicious communication. The collection contains numerous packages developed by the Corelight Labs team focused on behavioral and statistical detection techniques. These packages deliver high-fidelity detections for known malware tools as well as highlight unknown C2 behaviors, allowing Corelight customers to uncover conventional and targeted malware communication.

Components of the collection include:

  • Detection of specific HTTP malware families (including Metasploit, Cobalt Strike, Powershell Empire and more)
  • Meterpreter Detection
  • DNS and ICMP tunneling
  • Domain Generated Algorithms (DGAs)
  • Encrypted DNS detection

In addition to the C2 content, the Corelight Encrypted Traffic Collection added a comprehensive set of new data and detections targeting the Remote Desktop Protocol (RDP). This new addition to Corelight’s encrypted traffic analysis provides specific insights into the authentication and behavior of RDP sessions, including alerts for brute forcing attacks and anomalous connections. The rich data allows security professionals to investigate incidents and do threat hunting based on session details of one of the most popular tools for initiating network attacks.

The C2 Collection is available in the Corelight version 21 update, which is now available to customers. This new version features a wide range of coverage across relevant MITRE ATT&CK C2 techniques including:

  • T1071 – Application Layer Protocol
  • T1572 – Protocol Tunneling
  • T1568 – Dynamic Resolution

“The Corelight C2 Collection originated through deep customer partnerships that have allowed us access to real world network environments,” said Dr. Vern Paxson, chief scientist and co-founder of Corelight and creator of Zeek. “With this data, we can now offer a collection of insights that will better inform our customers on the right steps to take in their threat hunting and in their security incident response.”

Corelight version 21 also integrates with Microsoft Sentinel, which was announced last week, and includes workbooks and dashboards, hunting queries, and analytic rules to help organizations drive efficient investigations and incident response.

In addition, today the company launched the Corelight AP 5000, the industry’s first 100G Zeek® sensor for large NDR deployments at high-throughput data centers, large university network systems and other enterprises planning 100G interconnects. This 1U rack mountable appliance enables simultaneous creation of rich Zeek logs and Suricata alerts at ultra-high performance rates. Managed by Corelight Fleet Manager, the AP 5000 provides another option in the Corelight portfolio of sensors that enables customers to choose a sensor that best fits their needs.

Customers also now have the flexibility to purchase an ET Pro license from Corelight. The ET Pro license represents one of the most popular feeds for Suricata and delivers on a popular request from Corelight customers.

Availability
Corelight software version 21, the AP 5000 and the new ET Pro license are now available to customers. More information on today’s news can be found in the collections section and products section on the Corelight website.

Corelight has issued a blog post with more details on the technical benefits of the Corelight C2 Collection.

About Corelight
Corelight gives defenders unparalleled insight into networks to help them protect the world’s most critical organizations and companies. Corelight’s global customers include Fortune 500 companies, major government agencies, and large research universities. The company has received investment support from Accel, General Catalyst, Insight Partners and Osage University Partners. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek, the widely-used network security technology. For more information, visit https://www.corelight.com or follow @corelight_inc.

Recent Posts