C2 detections, RDP insights and NDR at 100G

By John Gamble, Director of Product Marketing, Corelight

Today I am excited to announce Corelight’s v21 release, which delivers dozens of powerful C2 detections, extends analyst visibility around RDP connections, and helps organizations scale network detection and response workloads in high throughput environments. 

Detecting C2 threats 

Finding command and control (C2) activity is no easy task. The MITRE ATT&CK framework lists dozens of stealthy C2 techniques, ranging from multilayer encryption to the use of legitimate Web services like Twitter to hide amidst the noise of normal traffic. 

Fortunately, Corelight’s new C2 Collection can give analysts the high ground to see C2 activity with over 50 unique detections and insights built around: 

  • DNS tunneling
  • ICMP tunneling
  • Domain Generated Algorithms (DGAs)
  • HTTP traffic related to known malware families 
  • Meterpreter 

These innovations come from the work of the Corelight Labs team, led by Zeek® creator and Corelight co-founder, Dr. Vern Paxson. Notably, the team researches, develops, and validates Corelight’s insights in live customer production networks that represent some of the largest, most frequently attacked organizations in the world. 

Want to learn more? Register and tune in next Tuesday, May 25th for a SANS and Corelight webcast on the C2 discovery challenge where we’ll cover some of our capabilities here in greater technical depth. 

Register here:

Extending encrypted traffic insights 

With our v21 release the Encrypted Traffic Collection grows even larger with the addition of more than a dozen new insights around RDP traffic such as the detection of malicious RDP clients like Crowbar and suspicious log in behaviors that may indicate RDP brute force attacks. 

With these latest RDP additions this collection now provides rich insight around certificates, SSL, SSH, and RDP traffic that gives analysts actionable light in a world of darkness. 

Scaling NDR to 100G and beyond 

Corelight has a solid track record of delivering open NDR sensors based on Zeek that reliably scale in high throughput traffic. With this release we are proud to introduce a new workhorse of our sensor family, the AP 5000, which can deliver a whopping 100G+ of Zeek traffic analysis in a 1U form factor. Compared to typical open source deployments this represents more than a 10x increase in single sensor performance, which means organizations can not only scale Zeek, but also process additional NDR workloads such as Corelight’s C2 Collection and Suricata rules.

*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by John Gamble. Read the original post at: