Episode 1 - Typhoon season: How Chinese threat actors are quietly staging for disruption
Episode 1 - Typhoon season: How Chinese threat actors are quietly staging for disruption
0:00 / 0:00
About the episode
Richard Bejtlich sits down with Vince Stoffer, Corelight's Field CTO, to dive into the recent wave of cyberattacks attributed to Chinese threat actors, known as "Typhoon" groups. Vince unpacks the distinctions between "Volt Typhoon," targeting critical infrastructure sectors such as energy and transportation, and "Salt Typhoon," which is infiltrating telecommunications networks for espionage. The conversation explores the evolving tactics, techniques, and procedures (TTPs) used by these groups, including their exploitation of zero-day vulnerabilities and outdated infrastructure. Richard and Vince discuss the challenges of securing public-facing appliances and critical infrastructure and highlight the importance of robust network visibility and proactive threat detection strategies. Tune in to discover actionable insights on how organizations can better defend against sophisticated state-sponsored cyber threats.
Episode transcript
Download transcriptEpisode 1 - Typhoon season: How Chinese threat actors are quietly staging for disruption
Gain clear, actionable intelligence from Corelight's network defense experts. Corelight' Defenders translates complex cybersecurity detection challenges into concise, practical episodes designed to support faster, smarter decision-making across modern security teams. Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight.
In each episode, we explore insights from the front lines of NDR, network detection and response. And today, I am speaking with Vince Stouffer, our Field CTO at Corelight. Welcome, Vince. Hi. Thanks, Richard. Good to be with you. Everyone, this is the first episode of the Corelight podcast, and Vince is our first guest. Vince has a long tenure at the company, and it seemed only right to have him be our first guest. And I chose, uh, Vince because he has been doing some writing and research and blogging recently on the so-called Typhoon attacks that are coming out. And if you're not familiar with what Typhoon even comes from, that is from the
Microsoft nomenclature. They use Typhoon as a convention for China, Blizzard for Russia, Sandstorm for Iran, and so forth. Do we know anything about these threat actors, Vince, perhaps other than that there has been at- attribution to China? Yeah. I mean, there's certainly attribution to China. I mean, I think there's some, m- maybe reticence early on, maybe a few years ago with some of these groups to actually attribute them to China, but I think that, uh, pretense is gone, and there's no doubt that these are various, uh, actors within, uh, you know, uh, within China, either directly funded by the Chinese Communist Party or working for contractors who are funded by or perhaps even, you know, directly working for the party themselves. So, I- I don't know that that's always clear, um, but I think it's- it's definitely clear that there is also overlap amongst the various campaigns that, w- you know, we've seen and that we might talk about. Uh, so, uh, I don't know that it's always clear, you know, if this specific threat actor group is working just on, you know, what we might call Volt
Typhoon or Salt Typhoon, um, 'cause there's certainly overlap in some of the TTPs and some of the tools. And so, it makes you wonder, you know, are some of these, uh, actor groups completely separate, or how much do they overlap? But I think i- it's clear they're all coming out of China. Yeah. So, y- you mentioned the two key words there. One is Salt, and one is
Volt. These are the two, I guess, buckets or groupings that Microsoft has come up with for these two groups. And again, we don't exactly know how they map to specific
PLA units or Ministry of State Security units, but if you were to sort of try to differentiate between Salt and Volt, w- how would you describe that? Yeah. I think, uh, the easiest way to say it is, you know, Volt Typhoon has been focused on critical infrastructure. So, this is focused on compromising, uh, energy, a- airlines, uh, you know, uh, municipal, government facilities that are handling wastewater and things like that. But it can expand also to, uh, pretty much anything that you can consider, you know, critical infrastructure, which could include travel and some other things like that, right? Airplanes, et cetera. Um, and- and so, it- what appears to be the goal there, it's still, uh, a- a little unknown what the end goal is, but I think for Volt Typhoon, what we've, uh, seen the experts. say is that they're really trying to stage, uh, and get persistence into some of these environments so that they could potentially disrupt critical infrastructure in the future.
Um, on Salt Typhoon, this has really been primarily focused around the telecommunications providers. So, we've seen this go after the major telcos, uh, breaching, you know, both, uh, customer routers as well as, uh, you know, the telco-provided or telco-owned routers, uh, and trying to compromise communications, eavesdrop on communications, gather call records, gather information from those telco networks that could, you know, uh, facilitate either, uh, intelligence or counterintelligence by the Chinese. I wanna talk about Volt in a second, but I- just specifically with
Salt, when we talk about getting access to some of these telco capabilities, I've heard that that might be the CALEA system. It's a telco-provided and government-mandated mechanism to provide wiretapping for digital electronics. Like, back in the day, you would walk up to a phone box and gain access with alligator clips and so forth, and to provide a- a digital equivalent, CALEA was passed as a- as a law. Is that at least part of what's been going on with this group? Yeah. From what I've read, that could be part of it. I think it's a little unclear because w- what is clear is that, you know, these- these groups are going in and compromising these devices in a level that gives them, you know, uh, root-level access to- to these network devices, to these large Cisco routers or whatever, where, you know, all the communications are flowing through. So, in some cases, I think we've seen the TTPs involved, uh, you know, either installing tools onto those routers themselves or just using the built-in tools to capture, uh, you know, network connections to actually essentially do PCAP collection. And so, whether or not that actually involved something specific to CALEA, like using the CALEA systems that are already there, or whether they were actually literally just able to go into the routers and start capturing raw network traffic, which could be essentially the equivalent of what CALEA was already doing in some other areas. I think that's- that seems to me a bit- to be a little bit unclear, but I think the end result is pretty much the same, right? If you're able to gath- gather, uh, you know, communications, whether that's actually raw voice traffic that's going over these networks or potentially other, you know, metadata around the call records and call logs, uh, end result seems to be the same. Yeah. Going back to Volt. Um, when I was researching for this podcast, one of the items that struck me about them was that they are known for exploiting zero-days against public-facing infrastructure, which seems like a throwback, right? Uh, for years, uh...... that was the way you did it. There were just so many zero-days you could just trip over them and no problem and everything was connected to the internet, so there you go. And then we sort of got smarter about that, and we took stuff off the internet, and secure coding made life a little bit easier, so you had to switch more towards going after the endpoint and going after, uh, endpoint software. You know, PDF readers and Word and, and that sort of thing. Yeah. But now we're, we're switched again and, uh, I think for years people, the, the, the security hygiene people were saying, "Just keep your stuff patched and you'd be fine," but the fact they, they're going after publicly facing systems that probably have no choice but to be pubi- publicly facing, and they have zero-days. It... How do, how do you think about that?
Like what, what do you even think about when you hear that sort of thing? Is there a way to even deal with that? Y- yeah, it's a good question. I mean, it is funny because it's kind of a throwback, yes, to those times when, uh, you know, it was much easier to scan for a firewall and compromise that than to go after the endpoints. A- and maybe part of it is just that the focus in the last few years has really shifted to endpoint, to endpoint protection, to endpoint attacks, to really understanding and seeing that, that part of our security world, um, that, you know, we've kind of neglected the fact that there are still devices on the network that are not covered by endpoints that are able to be compromised. Uh, I think something that's interesting about, you know, several of these Typhon campaign actors is that it's not always zero-days as well, right? They...
We've seen them use them sparingly, and certainly not to the level that some other APT groups have relied upon them. So, the- they're going after, in some cases, routers or network equipment or SoHo devices that are actually, you know, are not zero-days. These are just publicly available vulnerabilities from, in some cases, years ago, right? Mm-hmm. So in some cases these things are just, uh, woefully out of date, not being monitored or maintained, uh, and it's easy pickings for the attacker to go in and compromise and get access and then jump onto the network and pivot and move laterally and start discovering other, uh, systems that they can more easily attack. Yeah. Yeah, it seems like there's a, almost a mindset that if something is an appliance, you assume that it won't have any problems, as opposed to, uh, a desktop or a server, something that you have to administer and patch, and there's sort of a rhythm around that. Whereas an appliance you figure, uh, I can't... If I can't log into it or I'm not supposed to log into it, who's supposed to be able to get access to it?
I, I remember a long time ago someone saying that they used to run old school, like, like pre-OS 10 type Mac software because there was no shell. Um, you know, you had to use a graphical interface in order to inter- to interact with this. This was a long time ago, obviously. And I remember thinking, "That makes no sense at all. If you exploit a s- a piece of software, you could bring your own shell," right? That's what the whole Meterpreter is. It's a shell that you bring. So yeah, very interesting. So, uh- Yeah, and it, it's also possible that... I mean,
I, I'm guessing, but, uh, certainly in some organizations we work with, right? I, I think availability is a part of that story, right? A network team maybe owns the routers and the switches. They're, uh, you know, uh, not liable to want to just, uh, you know, uh, update those and potentially cause an outage or, or risk downtime or availability loss, so, you know, those aren't maybe in the purview of security as much as, you know, the, the sort of endpoint and application world is where they can clearly say, "Hey, we have compliance requirements."
They have whatever. So I think sometimes those network devices or those, especially those things that have drifted off to the side that are bring-your-own or SoHo devices or whatever they got attached to the network and maybe someone didn't know, those are a much more easy target 'cause they've just drifted away from that kind of centralized management of security that can happen. Uh, 100%. 100%. And I remember working with a customer who had a rock crusher, and it, it was a million dollars an hour to crush rocks, and you did not take the rock crusher offline even though it was a computer and it was compromised and so the intruder had found it, it was running Windows, and they broke into it, and they were using it as a staging point. And we said, "Look, if you care about your, the integrity of your environment, you gotta take the rock crusher offline and take the loss for that day," I guess.
Uh, so w- we talk about network visibility as if it might be the same everywhere, but can you talk to me about maybe different types of network visibility and, and possibly how it could help with, with these types of attackers? Yeah. Certainly, you know, one of the most important aspects of network visibility is, you know, where you get that visibility from, right? Is it from, uh, you know, a SPAN port on a switch or a router? Is it from, you know, optical taps that are placed strategically in your network and then gathered together through some sort of tapping infrastructure like a packet broker? Uh, or is... Are you relying on, you know, like, like some folks, the network visibility that they're getting from their endpoint? Uh, because sure, with an endpoint, uh, you know, solution, you get quite a lot of network visibility. You see everything that those hosts are doing, um, but
I think it's easy to forget that those dark corners of the network are where we're seeing these attacks begin. You know, again, this is the unmanaged devices, the places that probably have, uh, you know, connectivity to the internet, at least in terms of the initial access, um, and then are able to reach back into the network either through tunnels or through just their direct connection into the rest of the local network. So I think, you know, we see a maturity scale starting at the border usually or at those connection points to the internet, um, and trying to instrument visibility there with s- you know, something like Corelight, uh, and then that maturity kind of continues along until you need that data further and further inside your network. I think most of the attacks we're talking about today with the, the Volt and Salt can benefit from that visibility almost anywhere, right? It's just a matter of where you're gonna catch the attack. Are you gonna catch them earlier on in the attack chain in that initial access or further on up as they, as they have already, you know, compromised machines and are kind of moving within your network?
So... Yeah. Do you think it's possible for, uh, a- an end-... end user type organization, so s- not someone who is a three-letter agency or whatever, could you emulate the sorts of activity that the Typhoons are doing with your own red team, or possibly even hire a third-party, and then see how your own environment stacks up? Like, how easy it is for them to get around? Do you notice them? That sort of thing. I, I think absolutely. I mean, especially with how much has been published over the last year, uh, around the TTPs for many of these campaigns. I mean, we know specifically some of the vulnerabilities they're going after. We know explicitly some of the tools they're using.
Um, so a- absolutely that's the case. We've done some internal testing for Corelight, and we're actually soliciting a third-party test, uh, to, to do kind of what you're describing and just highlight some of our detections and our visibility, uh, to be able to go after this. But yeah, if I was, uh, a big agency or a multinational that had, uh, already been targeted by these groups, I would absolutely be trying to train my red team to go after some of these TTPs and explore maybe some of the, you know, sub-organizations or, uh, acquisitions or whatever that haven't been, you know, perhaps maintained as well as the central organization and, and see if, you know, there's, there's further risk there. Cool. Can, can you talk a little bit, not specifics, but just sort of generally how you might have seen our customers use our data with data from another source, like an endpoint or logs or some other, you know, type of, uh, visibility? Yeah, I mean, we have spent quite a lot of energy building out those sorts of integrations. Uh, so, you know, whether it's e- endpoint, which we have kind of direct connection to a couple of the most, uh, major, uh, endpoint providers, or something like vulnerability data or, uh, you know, IPAM data or things that are collecting information about, uh, you know, either risks or assets within the organization, and then trying to fuse those together into our data stream. So, I think it's pretty important that if we can do that at point of origin where we are, you know, directing the Corelight log, we see, we see connections and we see that it's from this host with this user and it perhaps has this sort of vulnerability, then by the time that gets the, you know, the downstream
SIEM or the data lake or wherever the analysts are using it, they don't have to go back and make a couple more pivots. Of, of course, much of that information is already available to them. But tying it directly at kind of or- you know, time creation at the network data I think saves our customers a lot of time, and that's how we often see them using that kind of integration. Yeah, that's excellent.
I really think the only chance you have against groups like this is you need people who know what they're doing. You need them to have the authority to act when they find something susici- suspicious, but then they also need rich data sources that work across a variety of platforms, whether it's coming from the network or the endpoint or other infrastructure or even from, you know, human third-party sources. Only by having all that work together can you have a chance against these guys. Yeah, totally agree. Great. Well, Vince, that's all the time we have for today. Uh, thank you so much for being the, the first guest on the Corelight Podcast, and I am sure we're gonna have you back if, if you're willing to come back at some point in the future.
A- anytime, Richard. Uh, so happy to be here. Thank you. Great. Thank you for joining us on the Network Defenders podcast sponsored by Corelight. We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
In each episode, we explore insights from the front lines of NDR, network detection and response. And today, I am speaking with Vince Stouffer, our Field CTO at Corelight. Welcome, Vince. Hi. Thanks, Richard. Good to be with you. Everyone, this is the first episode of the Corelight podcast, and Vince is our first guest. Vince has a long tenure at the company, and it seemed only right to have him be our first guest. And I chose, uh, Vince because he has been doing some writing and research and blogging recently on the so-called Typhoon attacks that are coming out. And if you're not familiar with what Typhoon even comes from, that is from the
Microsoft nomenclature. They use Typhoon as a convention for China, Blizzard for Russia, Sandstorm for Iran, and so forth. Do we know anything about these threat actors, Vince, perhaps other than that there has been at- attribution to China? Yeah. I mean, there's certainly attribution to China. I mean, I think there's some, m- maybe reticence early on, maybe a few years ago with some of these groups to actually attribute them to China, but I think that, uh, pretense is gone, and there's no doubt that these are various, uh, actors within, uh, you know, uh, within China, either directly funded by the Chinese Communist Party or working for contractors who are funded by or perhaps even, you know, directly working for the party themselves. So, I- I don't know that that's always clear, um, but I think it's- it's definitely clear that there is also overlap amongst the various campaigns that, w- you know, we've seen and that we might talk about. Uh, so, uh, I don't know that it's always clear, you know, if this specific threat actor group is working just on, you know, what we might call Volt
Typhoon or Salt Typhoon, um, 'cause there's certainly overlap in some of the TTPs and some of the tools. And so, it makes you wonder, you know, are some of these, uh, actor groups completely separate, or how much do they overlap? But I think i- it's clear they're all coming out of China. Yeah. So, y- you mentioned the two key words there. One is Salt, and one is
Volt. These are the two, I guess, buckets or groupings that Microsoft has come up with for these two groups. And again, we don't exactly know how they map to specific
PLA units or Ministry of State Security units, but if you were to sort of try to differentiate between Salt and Volt, w- how would you describe that? Yeah. I think, uh, the easiest way to say it is, you know, Volt Typhoon has been focused on critical infrastructure. So, this is focused on compromising, uh, energy, a- airlines, uh, you know, uh, municipal, government facilities that are handling wastewater and things like that. But it can expand also to, uh, pretty much anything that you can consider, you know, critical infrastructure, which could include travel and some other things like that, right? Airplanes, et cetera. Um, and- and so, it- what appears to be the goal there, it's still, uh, a- a little unknown what the end goal is, but I think for Volt Typhoon, what we've, uh, seen the experts. say is that they're really trying to stage, uh, and get persistence into some of these environments so that they could potentially disrupt critical infrastructure in the future.
Um, on Salt Typhoon, this has really been primarily focused around the telecommunications providers. So, we've seen this go after the major telcos, uh, breaching, you know, both, uh, customer routers as well as, uh, you know, the telco-provided or telco-owned routers, uh, and trying to compromise communications, eavesdrop on communications, gather call records, gather information from those telco networks that could, you know, uh, facilitate either, uh, intelligence or counterintelligence by the Chinese. I wanna talk about Volt in a second, but I- just specifically with
Salt, when we talk about getting access to some of these telco capabilities, I've heard that that might be the CALEA system. It's a telco-provided and government-mandated mechanism to provide wiretapping for digital electronics. Like, back in the day, you would walk up to a phone box and gain access with alligator clips and so forth, and to provide a- a digital equivalent, CALEA was passed as a- as a law. Is that at least part of what's been going on with this group? Yeah. From what I've read, that could be part of it. I think it's a little unclear because w- what is clear is that, you know, these- these groups are going in and compromising these devices in a level that gives them, you know, uh, root-level access to- to these network devices, to these large Cisco routers or whatever, where, you know, all the communications are flowing through. So, in some cases, I think we've seen the TTPs involved, uh, you know, either installing tools onto those routers themselves or just using the built-in tools to capture, uh, you know, network connections to actually essentially do PCAP collection. And so, whether or not that actually involved something specific to CALEA, like using the CALEA systems that are already there, or whether they were actually literally just able to go into the routers and start capturing raw network traffic, which could be essentially the equivalent of what CALEA was already doing in some other areas. I think that's- that seems to me a bit- to be a little bit unclear, but I think the end result is pretty much the same, right? If you're able to gath- gather, uh, you know, communications, whether that's actually raw voice traffic that's going over these networks or potentially other, you know, metadata around the call records and call logs, uh, end result seems to be the same. Yeah. Going back to Volt. Um, when I was researching for this podcast, one of the items that struck me about them was that they are known for exploiting zero-days against public-facing infrastructure, which seems like a throwback, right? Uh, for years, uh...... that was the way you did it. There were just so many zero-days you could just trip over them and no problem and everything was connected to the internet, so there you go. And then we sort of got smarter about that, and we took stuff off the internet, and secure coding made life a little bit easier, so you had to switch more towards going after the endpoint and going after, uh, endpoint software. You know, PDF readers and Word and, and that sort of thing. Yeah. But now we're, we're switched again and, uh, I think for years people, the, the, the security hygiene people were saying, "Just keep your stuff patched and you'd be fine," but the fact they, they're going after publicly facing systems that probably have no choice but to be pubi- publicly facing, and they have zero-days. It... How do, how do you think about that?
Like what, what do you even think about when you hear that sort of thing? Is there a way to even deal with that? Y- yeah, it's a good question. I mean, it is funny because it's kind of a throwback, yes, to those times when, uh, you know, it was much easier to scan for a firewall and compromise that than to go after the endpoints. A- and maybe part of it is just that the focus in the last few years has really shifted to endpoint, to endpoint protection, to endpoint attacks, to really understanding and seeing that, that part of our security world, um, that, you know, we've kind of neglected the fact that there are still devices on the network that are not covered by endpoints that are able to be compromised. Uh, I think something that's interesting about, you know, several of these Typhon campaign actors is that it's not always zero-days as well, right? They...
We've seen them use them sparingly, and certainly not to the level that some other APT groups have relied upon them. So, the- they're going after, in some cases, routers or network equipment or SoHo devices that are actually, you know, are not zero-days. These are just publicly available vulnerabilities from, in some cases, years ago, right? Mm-hmm. So in some cases these things are just, uh, woefully out of date, not being monitored or maintained, uh, and it's easy pickings for the attacker to go in and compromise and get access and then jump onto the network and pivot and move laterally and start discovering other, uh, systems that they can more easily attack. Yeah. Yeah, it seems like there's a, almost a mindset that if something is an appliance, you assume that it won't have any problems, as opposed to, uh, a desktop or a server, something that you have to administer and patch, and there's sort of a rhythm around that. Whereas an appliance you figure, uh, I can't... If I can't log into it or I'm not supposed to log into it, who's supposed to be able to get access to it?
I, I remember a long time ago someone saying that they used to run old school, like, like pre-OS 10 type Mac software because there was no shell. Um, you know, you had to use a graphical interface in order to inter- to interact with this. This was a long time ago, obviously. And I remember thinking, "That makes no sense at all. If you exploit a s- a piece of software, you could bring your own shell," right? That's what the whole Meterpreter is. It's a shell that you bring. So yeah, very interesting. So, uh- Yeah, and it, it's also possible that... I mean,
I, I'm guessing, but, uh, certainly in some organizations we work with, right? I, I think availability is a part of that story, right? A network team maybe owns the routers and the switches. They're, uh, you know, uh, not liable to want to just, uh, you know, uh, update those and potentially cause an outage or, or risk downtime or availability loss, so, you know, those aren't maybe in the purview of security as much as, you know, the, the sort of endpoint and application world is where they can clearly say, "Hey, we have compliance requirements."
They have whatever. So I think sometimes those network devices or those, especially those things that have drifted off to the side that are bring-your-own or SoHo devices or whatever they got attached to the network and maybe someone didn't know, those are a much more easy target 'cause they've just drifted away from that kind of centralized management of security that can happen. Uh, 100%. 100%. And I remember working with a customer who had a rock crusher, and it, it was a million dollars an hour to crush rocks, and you did not take the rock crusher offline even though it was a computer and it was compromised and so the intruder had found it, it was running Windows, and they broke into it, and they were using it as a staging point. And we said, "Look, if you care about your, the integrity of your environment, you gotta take the rock crusher offline and take the loss for that day," I guess.
Uh, so w- we talk about network visibility as if it might be the same everywhere, but can you talk to me about maybe different types of network visibility and, and possibly how it could help with, with these types of attackers? Yeah. Certainly, you know, one of the most important aspects of network visibility is, you know, where you get that visibility from, right? Is it from, uh, you know, a SPAN port on a switch or a router? Is it from, you know, optical taps that are placed strategically in your network and then gathered together through some sort of tapping infrastructure like a packet broker? Uh, or is... Are you relying on, you know, like, like some folks, the network visibility that they're getting from their endpoint? Uh, because sure, with an endpoint, uh, you know, solution, you get quite a lot of network visibility. You see everything that those hosts are doing, um, but
I think it's easy to forget that those dark corners of the network are where we're seeing these attacks begin. You know, again, this is the unmanaged devices, the places that probably have, uh, you know, connectivity to the internet, at least in terms of the initial access, um, and then are able to reach back into the network either through tunnels or through just their direct connection into the rest of the local network. So I think, you know, we see a maturity scale starting at the border usually or at those connection points to the internet, um, and trying to instrument visibility there with s- you know, something like Corelight, uh, and then that maturity kind of continues along until you need that data further and further inside your network. I think most of the attacks we're talking about today with the, the Volt and Salt can benefit from that visibility almost anywhere, right? It's just a matter of where you're gonna catch the attack. Are you gonna catch them earlier on in the attack chain in that initial access or further on up as they, as they have already, you know, compromised machines and are kind of moving within your network?
So... Yeah. Do you think it's possible for, uh, a- an end-... end user type organization, so s- not someone who is a three-letter agency or whatever, could you emulate the sorts of activity that the Typhoons are doing with your own red team, or possibly even hire a third-party, and then see how your own environment stacks up? Like, how easy it is for them to get around? Do you notice them? That sort of thing. I, I think absolutely. I mean, especially with how much has been published over the last year, uh, around the TTPs for many of these campaigns. I mean, we know specifically some of the vulnerabilities they're going after. We know explicitly some of the tools they're using.
Um, so a- absolutely that's the case. We've done some internal testing for Corelight, and we're actually soliciting a third-party test, uh, to, to do kind of what you're describing and just highlight some of our detections and our visibility, uh, to be able to go after this. But yeah, if I was, uh, a big agency or a multinational that had, uh, already been targeted by these groups, I would absolutely be trying to train my red team to go after some of these TTPs and explore maybe some of the, you know, sub-organizations or, uh, acquisitions or whatever that haven't been, you know, perhaps maintained as well as the central organization and, and see if, you know, there's, there's further risk there. Cool. Can, can you talk a little bit, not specifics, but just sort of generally how you might have seen our customers use our data with data from another source, like an endpoint or logs or some other, you know, type of, uh, visibility? Yeah, I mean, we have spent quite a lot of energy building out those sorts of integrations. Uh, so, you know, whether it's e- endpoint, which we have kind of direct connection to a couple of the most, uh, major, uh, endpoint providers, or something like vulnerability data or, uh, you know, IPAM data or things that are collecting information about, uh, you know, either risks or assets within the organization, and then trying to fuse those together into our data stream. So, I think it's pretty important that if we can do that at point of origin where we are, you know, directing the Corelight log, we see, we see connections and we see that it's from this host with this user and it perhaps has this sort of vulnerability, then by the time that gets the, you know, the downstream
SIEM or the data lake or wherever the analysts are using it, they don't have to go back and make a couple more pivots. Of, of course, much of that information is already available to them. But tying it directly at kind of or- you know, time creation at the network data I think saves our customers a lot of time, and that's how we often see them using that kind of integration. Yeah, that's excellent.
I really think the only chance you have against groups like this is you need people who know what they're doing. You need them to have the authority to act when they find something susici- suspicious, but then they also need rich data sources that work across a variety of platforms, whether it's coming from the network or the endpoint or other infrastructure or even from, you know, human third-party sources. Only by having all that work together can you have a chance against these guys. Yeah, totally agree. Great. Well, Vince, that's all the time we have for today. Uh, thank you so much for being the, the first guest on the Corelight Podcast, and I am sure we're gonna have you back if, if you're willing to come back at some point in the future.
A- anytime, Richard. Uh, so happy to be here. Thank you. Great. Thank you for joining us on the Network Defenders podcast sponsored by Corelight. We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
