Roundtable Forum on Generative AI Presents Unprecedented Opportunities & Risks.
Elevate Xchange April 17th 4:30p-8:30p
(all content supplied by Corelight’s website except the video) https://www.corelight.com
Why evidence-first analytics are the foundation of modern NDR Today's security teams use powerful analytics to accelerate incident response across the SOC. It's increasingly vital to augment SIEM and EDR tools with analytics from Network Detection and Response (NDR) solutions to obtain the breadth of insights and detections necessary for effective defenses. NDR analytics fuel SOC activity across threat detection coverage, asset visibility, and threat hunting. Corelight has built a suite of analytics rooted in decades of experience with world-class defenders who have contributed their practices and design patterns to the open source community.
A key learning from these defenders is that evidence quality determines analytic outcomes and so evidence must come first. An evidence-first analytics approach delivers broad, deep and accurate insights based on three pillars:
1. The best evidence sets the strongest foundation. The best evidence enables the best analytics, accelerates alert investigation, and allows defenders to investigate attacks spanning today, yesterday and tomorrow using retrospective analysis, forensics, and threat hunting.
2. Analytics need the right tool for the job - there is no silver bullet. Machine learning, queries,
behavioral detection, threat intelligence and traditional IDS signatures are each useful for different attack activity. We leverage them together for the most accurate analytics, broadest toolset consolidation and most effective alert aggregation.
3. Threat hunting is core to modern detection. Threat hunting requires unfettered access to evidence and can drive new detections and broader analytics coverage. In addition, hunting also reveals operational issues and accelerates routine incident response by understanding what “normal” is in the environment.
Initial discovery
As a C2 framework, we can detect Sliver via behavioral analytics (finding the tool itself) or by detecting the activity of malware delivered using the framework. Corelight has built a range of detection techniques across attacker infrastructure (IOCs), toolkits (Sliver, Cobalt Strike, Manjusaka, etc), and techniques (DGA malware, DNS exfiltration, etc). We use a wide range of detection engineering techniques to increase both investigative efficiency and alert accuracy.
Regarding investigative efficiency, consider that in this example a separately deployed signature IDS, threat intelligence platform and SIEM machine learning toolkit would see different parts of the attacks but none of the tools would properly aggregate the resulting alerts for the analyst to prioritize the problem and drive an effective investigation. In addition, Corelight’s integration of multiple NDR tools in a single platform removes the need for the security engineering team to maintain and tune each of those disparate tools, freeing up time for other analytics and automation initiatives. Regarding alert accuracy, consider that different detection methods have a different balance of false positive vs. detection (or false negative) rates. While no one detection approach is well suited for all the known variations within a given attack scenario, by using the strengths of different techniques we can cover the
broadest range possible with the highest accuracy:
For the Sliver C2 framework example we see that behavioral detection is the right tool for the job because the tool’s activities are clear and identifiable. In this instance, signatures aren’t the right fit because detecting the behaviors often requires analysis across multiple network connections. Likewise, we don’t need to incur the FP rates of machine learning (ML) for a tool we can find well with behavioral detection. For all of its progress and earned popularity, ML is a probabilistic detection method. That means it will carry a higher FP rate than other techniques (despite tuning) so as a general rule we should use ML to tackle detections which can’t be readily identified using simpler methods.
If we look downstream of the Sliver framework however, other techniques come into play. Attackers often re-use techniques for part of their campaigns so leveraging signatures and IOCs offers an easy and reliable way to find that subsequent activity. Likewise, supervised ML is highly effective for finding attackers hiding their exfiltration via DNS or detecting Tor usage. These situations are hard to detect well with signatures, rules or behavioral detection, but are a good fit for the probabilistic methods of ML.
Ultimately, using the right detection tool for the right job allows us to both provide the best alert accuracy and also the most effective alert aggregation and technology consolidation for defenders.
Investigation and Confirmation
For security analysts, detecting the Sliver framework is just the beginning. From there, analysts must:
1. Verify the alert: analysts can see additional confirming activity from the Sliver toolkit such as beaconing, telltale user agents or HTTP header ordering. The confirming evidence varies by attack of course, but analysts needing access to the right evidence is a constant.
2. Investigate the scope of the attack: as a C2 framework Sliver should carry out both upstream and downstream activity from the infected host. Analysts can follow the story laid out by network protocol logs to find the point of initial compromise as well as the lateral movement and any exfiltration attempts downstream of this specific detection. For example, connecting a DNS reply to a related HTTP session and subsequent file transfer can quickly take the analyst from an indicator to identifying exfiltration.
3. Confirm both the extent of any exfiltration and ensure remediation. Here network evidence can prove that either exfiltration didn’t occur, or if it did then it can reveal its true scope. The difference between “we think” and “we know” becomes incredibly important here as businesses face significant fiscal and policy implications from breaches. Afterwards, that same network evidence can verify the attacker is truly removed from the environment through ongoing validation of successful containment and remediation.
Watch, Listen & Learn to Greg Bell, Corelight an Elevate Xchange Executive Member