Corelight, a leading provider of network traffic analysis (NTA) solutions for cybersecurity, has launched the Corelight Encrypted Traffic Collection (ETC), empowering threat hunters and security analysts with rich and actionable insights for encrypted traffic.
“As the use of encryption continues to rise, defenders need some light in the darkness to separate legitimate behaviour from malicious activity when decryption is not an option,” said Brian Dye, Chief Product Officer for Corelight. “This is not simply about detections, this is about a layering of data and insights that our customers need to access in order to make critical security decisions.”
Corelight’s ETC expands defenders’ incident response, threat hunting and forensics capabilities in encrypted environments by generating insights around SSH and TLS traffic that indicate potential security risk. The collection contains numerous packages developed by Corelight’s research ream as well as curated packages from the open-source Zeek community.
This collection builds on Zeek’s already extensive capabilities for analysing encrypted traffic, such as certificate metadata, JA3/HASSH fingerprints and dedicated SSL/x.509 logs.
Features, and the relevant MITRE ATT&CK category each covers, include:
- SSH client brute force detection – supports threat hunting for Access techniques by revealing when a client makes excessive authentication attempts
- SSH authentication bypass detection – reveals when a client and server switch to a non-SSH protocol, a tactic used in Access attempts
- SSH client keystroke detection – reveals an interactive session where a client sends user-driven keystrokes to the server, which may be an indication of Command and Control activity
- SSH client file activity detection – reveals a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa, which could indicate either Staging or Exfiltration activity
- SSH scan detection – accelerates threat hunting for Access techniques by inferring scanning activity based on how often a single service is scanned
- SSL certificate monitoring – extend’s Zeek’s existing certificate monitoring capabilities to help defenders limit attack surface, find vulnerabilities and enforce internal policy
- Encryption detection – accelerate threat hunting by finding unencrypted traffic over commonly encrypted ports/protocols as well as custom/pre-negotiated sessions
“The Corelight Encrypted Traffic Collection originated through deep customer partnerships that have allowed us access to real world network environments,” said Dr. Vern Paxson, Creator of Zeek and Co-Founder of Corelight. “With this data, we can now offer a collection of insights that will help to better inform our customers on the right steps to take in their threat hunting and in their security incident response.”
The Encrypted Traffic Collection is available in the Corelight version 18 update. This new version also includes a new sensor management interface (UI) that incorporates new features that make internal compliance reviews easier and accelerate troubleshooting. The new UI mirrors the interface used in the Corelight Fleet Manager product for multi-sensor environments, making retraining unnecessary as a customer’s sensor footprint grows.
The company also released a new version of Corelight App for Splunk to better facilitate network-based threat hunting in Splunk. The free app analyses Corelight logs to surface leading indicators of security risk across dozens of protocols such as DNS and SSL and aggregate Zeek notices and intel hits in a central dashboard.
The launch also extends Corelight Cloud Sensor support to Microsoft Azure environments. Similar to the Corelight Cloud Sensor for AWS launched earlier this year, Corelight’s new sensor transforms Microsoft Azure cloud traffic into high-fidelity data for incident response, intrusion detection, forensics and more. It parses dozens of network protocols and generates a much richer, more actionable picture of Azure traffic than low-fidelity flow logs, accelerating security analysts’ ability to make sense of traffic and respond to attacks.
“Whether with Microsoft’s upcoming Azure Virtual network TAP or agent-based packet brokers, the Corelight Cloud Sensor for Microsoft Azure brings a common data format across all customer environments, whether they are operating with on-prem, virtual or cloud networks,” said Dye. “This enables security teams to use a consistent downstream analytics stack and find attackers regardless of environment.”