Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Threat Detection


How Can Kill Webs Change Security Thinking?

In my previous article, I proposed ways that modern network-derived evidence applies to the cyber kill chain—a concept created by Eric Hutchins, Michael Cloppert, and Rohan Amin that changed how security teams approach defending their digital assets. This article focuses on an evolved, non-linear version of the kill chain called the “kill web.”

Evolution of Real Time Attack Detection

Attack detection is critical for most security solutions, whether we are talking about a load balancer-based (NIDS, WAF), host-based or in-application solutions (HIDS, RASP). Interestingly, regardless of the differences in architecture and data flow, most solutions use similar detection principles and techniques. We will explore how the detection architecture evolved over time and how the new generation of detection logic, such as the architecture implemented by Wallarm, is principally different from that of the legacy solutions.
Featured Post

You Can't Win: Learning to Live with Security Pessimism

Cybersecurity can, at times, feel like a thankless and invisible task. The punishment for a mistake is immediate and ruthless, the reward for success next to non-existent, because how do you recognise the absence of a breach? But this isn't a new scenario; the IT industry has dealt with this outlook for decades. The job of an IT department is to be invisible, but when something does go wrong all eyes are inevitably on them to fix it.

Black Hat NOC USA 2023: A tale of sharp needles in a stack of dull needles

During Black Hat 2023 in Las Vegas, our Corelight team worked effectively and speedily with our first-rate Black Hat NOC partners Arista, Cisco, Lumen, NetWitness and Palo Alto Networks. I was fortunate enough to be a member of the NOC team at the show, helping to defend the Black Hat network. In this blog, I’ll share my experience within the Network Operations Center (NOC) as well as an incident that we detected, investigated, triaged, and closed using Corelight’s Open NDR Platform.


Will today's security purchases stop tomorrow's deadliest threats?

In the first installment of this three-part series based on our recent white paper, The Skeptic’s Guide to Buying Security Tools, we outlined an evidence-based approach to helping your organization justify a new security tool purchase. This included identifying where security gaps exist, if those gaps could be filled by existing tools, and—if not—how to evaluate potential tools that could help.


How Does the Kill Chain Apply to Network-Derived Evidence?

When Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin published their paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” in late 2010, they changed the way security personnel thought about defending their digital assets. The paper continues to be a useful model for defense today. This article proposes ways that modern network-derived evidence applies to the kill chain.


Detecting Gozi Banking Malware

As a principal security researcher on Corelight’s Labs team, I help to solve difficult network security research problems at scale. Corelight’s customers might recognize some of my work if you see the packages “VPN Insights” or “App ID” on your sensors. Outside of my day-to-day role, I have a hobby podcast called eCrimeBytes where we lightheartedly discuss an electronic crime case each week.

SOC Visibility Triad, Why You Need NDR Alongside EDR

Defenders face numerous challenges in their complex, ever-expanding environments. Good data or network truth shouldn't be one of them. As Corelight is the standard in the NDR market, we will explore how to pivot from NDR to several EDR tools. The demo will showcase popular tools and give analyst workflow examples and use cases. Speaker: Steven Swaim (Principal Federal Sales Engineer, Corelight)

The Evolution of Persistent Threats: From Chernobyl to BlackLotus

In this blog post, we will explore how the computer security landscape has expanded to reach below the operating system levels, aiming to address areas that are often overlooked or completely neglected in cybersecurity. Attackers have discovered techniques to establish long-term persistence in compromised hosts by injecting malicious code to run before the operating system loads in areas commonly referred to as Basic Input Output System (BIOS).