How To Threat Hunt in Encrypted Network Traffic- SANS Institute
Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption isn't an optimal or possible solution. Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. And Corelight's commercial solutions extend Zeek's capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer or keystrokes over SSH.Register for this technical webcast to hear from Aaron Soto, Director of Learning at Corelight, and SANS Instructor Matt Bromiley about their experience using Zeek and Corelight to threat hunt and learn how you can apply their insights in your environment, whether traffic is encrypted, or not.
Link to Presentation: http://bit.ly/2M0nt2N
Corelight makes powerful network security monitoring (NSM) solutions that transform network traffic into rich logs, extracted files, and security insights, helping security teams achieve more effective incident response, threat hunting, and forensics. Corelight Sensors run on Zeek (formerly called “Bro”), the open-source NSM tool used by thousands of organizations worldwide. Corelight’s family of network sensors dramatically simplify the deployment and management of Zeek and expand its performance and capabilities. Corelight is based in San Francisco, California and its global customers include Fortune 500 companies, large government agencies, and major research universities.
