Mixed VLAN tags and BPF syntax
By Richard Bejtlich, Principal Security Strategist, Corelight This post contains a warning and a solution for anyone using BPF syntax when filtering traffic for network security monitoring. Introduction I have been writing material for the Zeek documentation project. I was collecting a sample trace in my home lab, which includes ... Read More
Network Security Monitoring data: Types I, II, and III
By Richard Bejtlich, Principal Security Strategist, Corelight Some critics claim that ever growing encryption renders network security monitoring useless. This opinion is based on a dated understanding of the types and values of data collected and analyzed by computer incident response teams (CIRTs) that conduct NSM operations. This blog post ... Read More
The Election Is Six Months Away. Now Is the Time to Instrument Election Infrastructure.
By Richard Bejtlich, Principal Security Strategist, Corelight Elections have two critical components. The first is the conduct of the election as visible to the participants. The second is the hidden aspect, that which is not visible to the participants. Voters have seen how computers have become more important to the ... Read More
Enabling SOHO Network Security Monitoring
By Richard Bejtlich, Principal Security Strategist, Corelight One of the most popular and regularly occurring questions I see in network security monitoring forums involves how to instrument a small office – home office (SOHO) environment. There are ways to accomplish this goal. For example, I instrument my home using techniques ... Read More
Using Corelight and Zeek to Support Remote Workers
By Richard Bejtlich, Principal Security Strategist, Corelight Due to the tragic Covid-19 pandemic, as we are all experiencing first hand, most governments and health officials are either mandating or encouraging those who can work from home to do so, as part of widespread “social distancing” measures. Remote workers are likely ... Read More
Countering Network Resident Threats
By Richard Bejtlich, Principal Security Strategist, Corelight Vendors often claim that their products or services counter, mitigate, or otherwise affect “nation state threats.” When I worked as a director of incident response at one company, and as a chief security officer at another, claims like these made no impact on ... Read More
12 Talks to See at RSA 2020
By Richard Bejtlich, Principal Security Strategist, Corelight RSA 2020 is fast approaching, and a colleague asked what talks I planned to attend. As I am not attending RSA, I thought I would answer her question anyway, with the hopes that those participating in the conference might benefit from my review ... Read More
Day 1 Detection: CVE-2020-0601, a community, and 40 Lines of code
By Richard Bejtlich, Principal Security Strategist, Corelight On Tuesday, Jan. 14, 2020, the world learned of the vulnerability du jour, CVE-2020-0601. As explained by Microsoft, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” This blog post is not about the vulnerability. Rather, ... Read More