CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

ENCRYPTED TRAFFIC COLLECTION

See and counter threats, even those hidden by encryption.

READ WHITE PAPER

 

 

encrypted

INSIGHT, WITHOUT DECRYPTION

Getting visibility into encrypted traffic can seem impossible, but by ignoring it, you provide attackers an ideal hiding place. The Encrypted Traffic Collection turns network data flows into rich evidence and useful insights—without decryption—so you can understand and mitigate risk. Combining observable elements, like timestamps and packet sizes, with known behavior of protocols, the ETC offers a practical approach to visibility that lets you see and act on what matters. It also avoids the heavy financial, privacy, and performance costs of decryption. Read more on the blog.

Corelight Collections are detection sets included with your Corelight subscription and can be activated depending on your needs.

  • Find advanced attacks hiding in encrypted traffic
  • SSL, SSH, RDP, DNS, and VPN visibility
  • Highlight misconfigurations that expose data
  • No decryption required

DOWNLOAD DATA SHEET

VPN, DNS, and encryption detection

VPN

VPN insights
Detect and identify the endpoints that are using VPN connections. Reveal the country the VPN(s) are connecting to and evaluate their appropriateness. Discover when VPNs are unexpectedly being used, at unusual times, or from unexpected systems.

 

DNS over HTTPs (DoH) detection
Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden.

 

Custom encryption detection
Detect connections that are already encrypted without an observed handshake, which can indicate custom or pre-negotiated encryption.

 

Expected encryption detection
Identify unencrypted connections running on ports where encryption is expected.

RDP

RDP authentication inferences
Generate inferences about the method of authentication used by the RDP client.

 

RDP brute force detection
Reveal when an RDP client makes excessive authentication attempts and also succeeds.

 

RDP client inferences
Generate inferences about the type of an RDP client used.

 

RDP excessive channel join detections
Reveal when an RDP client exceeds a set threshold for the number of channel joins.

SSH

SSH stepping stones
Determine and log when related SSH connections are seen on the network using statistical analysis.

SSH agent forwarding detection
See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials.

SSH authentication bypass detection
Reveal when a client and server switch to a non-SSH protocol.

SSH client brute force detection
Reveal when an SSH client makes excessive authentication attempts.

SSH client file activity detection
Reveal when a client transfers a file to a server or vice versa.

SSH client keystroke detection
Reveal an interactive session where a client sends user-driven keystrokes to the server.

SSH fingerprinting (HASSH)
Create a hash of every SSH client and server negotiation for use in threat hunting or intel feed matching.

SSH MFA detection
See when SSH connections use multifactor authentication (MFA), which can help analysts rule other explanations for observed timing discrepancies in SSH connections, and help teams monitor external SSH servers for MFA compliance.

Non-interactive SSH detection
Reveal when SSH connections do not request an interactive terminal, but instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling.

SSH reverse tunnel detection
Reveal when a client connects to an SSH server and sends the server an interactive terminal, establishing a reverse SSH tunnel that may indicate malicious SSH tunneling.

SSH scan detection
Infer scanning activity based on how often a single service is scanned.

SSL certificate monitoring
Track expired and soon-to-expire certs, newly issued certs, self-signed certs, invalid certs, change-validation errors, old versions, weak ciphers, weak key-lengths, and bad versions (e.g., TLS 1.0).

SSL fingerprinting (JA3)
Create a hash of every SSL/TLS client and server negotiation for use in threat hunting or intel feed matching.

How it works

The Encrypted Traffic Collection offers unique insights into SSL, SSH, RDP, DNS, and VPN connections, along with top encrypted insights from the Zeek® community like JA3/S, HASSH—all without decryption. It employs Zeek to analyze the timing, sizes, flow direction, and other characteristics of network traffic, and integrates the results into Corelight’s comprehensive suite of evidence and analytics.

how-works-encrypted

ANALYTICS

Corelight Collections

Collections are targeted categories of detections, inferences, and data transformation that provide deeper visibility into adversary activity. They cover encrypted traffic, command and control activity, entity activity, ICS/OT visibility, and more. Detections are viewable through Corelight Investigator, or via a SIEM, XDR, or other analytics platform.

corelight-technology-diagram-NDR

 

Have questions?

Talk with one of our experts today.

CONTACT US