Corelight Enhances Detection Capability with Support for MITRE ATT&CK Package

New product features include data fusion capabilities for greater log customization and integration with existing network security environments

SAN FRANCISCO, June 11, 2019 (GLOBE NEWSWIRE) -- Corelight, providers of the most powerful network visibility solution for cybersecurity, today launched version 17 of its software, with powerful enhancements to the full Corelight Sensor portfolio, including new features designed to provide broader customization, better integration of Corelight Sensors with customers’ existing security technologies, and expanded threat detection capabilities with support for the MITRE BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) package.

Corelight’s new data fusion capabilities enable easier integration of Corelight Sensors into existing security infrastructure. Customers can now take advantage of the Zeek “Community ID,” an open standard for hashing network flows with a common identifier, making it possible to investigate incidents more effectively. For example, a Suricata alert can be directly linked to the Corelight logs and then to Elasticsearch (through Elastic Beats) for other network events, allowing a defender to correlate attacker activity across different security technologies.

In addition, Corelight Sensors will now support the Zeek Input Framework to allow users to fuse data from a variety of sources and tools into Zeek logs. Merging external data with Zeek logs makes the job of incident response easier by adding more context (such as asset or location information from a CMDB), control options (like organization specific parameters), or precision in security analytics (through whitelists for example). The Input Framework also enables many types of closed-loop automation, both directly (whitelisting alerts for automatic case creation) or indirectly (for playbooks built with security orchestration and automation platforms).

“Our new data fusion capabilities allow analysts to make better decisions about what connections are occurring across the network and investigate more effectively across multiple security technologies,” said Brian Dye, chief product officer at Corelight. “For example, analysts can seamlessly pivot from security alerts to an investigation in Corelight data, with visibility to asset and organizational information immediately at their fingertips. This saves responders precious time and the hassle of chasing down information manually across data sources. The ways in which the Community ID and Input Framework can be used within the sensor are nearly boundless.”

Finally, MITRE BZAR is a Zeek package that helps detect and investigate threats based on the ATT&CK framework. The Corelight Sensors leverage MITRE BZAR by raising alerts based on unusual lateral movement activity detected on the network, using SMB, DCE-RPC and file activity. Corelight Sensors can detect several types of activity including:

  • Lateral movement: Detecting unusual activity moving between systems
  • Credential access: Distinguishing unauthorized credentials
  • Defense evasion: Indicators of evasive file techniques such as deletion, hidden files and directories, side-loaded files and applications, indirect file execution, and port knocking
  • Execution: Identification of script execution, control panel automation, API access, or module load indicators
  • Persistence: Flagging repeated indicators of anomalous or atypical behavior on the network over time

“MITRE’s leadership and capability across security domains is well known, and their BZAR package will help organizations around the world detect and respond to key threats identified from the ATT&CK framework,” said Dye. “Their work on BZAR is a great example of the power of an open-core based approach, where the contributions of the community support many defenders, who in turn contribute their ideas, creating a virtuous cycle of defensive effectiveness for everyone in the Zeek community.”

New data fusion capabilities as well as support for the MITRE BZAR package is now available in Corelight Sensor version 17. More information on today’s launch can be found on the Corelight products page. The Corelight product team has also described the new features on the Corelight blog.

About Corelight

Corelight makes powerful network security monitoring (NSM) solutions that transform network traffic into rich logs, extracted files, and security insights for more effective incident response, threat hunting, and forensics. Corelight Sensors run on Zeek (formerly called “Bro”), the open-source NSM tool used by thousands of organizations. Corelight Sensors simplify Zeek deployment and expand its performance and capabilities. Corelight’s global customers include Fortune 500 companies, major government agencies, and large research universities. 

Media and Analyst Contact:
Kylie Heintz