By Vince Stoffer, Senior Director, Product Management, Corelight This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS certificates, and insights into encrypted network sessions. SSH Inferences The […]
Category Archives: Encrypted Traffic
Introducing the Corelight SSH Inference Package
By Anthony Kasza, Security Researcher, Corelight Labs Corelight has recently released a new package, focusing on SSH inferences, as part of our Encrypted Traffic Collection. The package installs on sensors with a few clicks and provides network traffic analysis (NTA) inferences on live SSH traffic. Which SSH connections transferred files? Which SSH connections transferred keystrokes? […]
The Sun Sets on TLS 1.0
By Johanna Amann, Software Engineer, Corelight Editor’s note: This post is the result of the author’s work at the International Computer Science Institute where she works as a senior researcher. In the last months, the major web browsers (Safari, Firefox, Edge, Chrome) announced their intent to disable support for TLS 1.0 and TLS 1.1 in […]
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 3
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Welcome to part 3 of my three-part series on TLS. In the previous two articles I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. I then performed the same transaction using TLS 1.2, and compared the logs with those seen […]
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 2
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Welcome to part 2 of my three-part series on TLS. In the previous article I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. In this article I will perform the same transaction using TLS 1.2, and compare the logs with […]
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 1
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction I’ve written previously about Corelight data and encryption. I wanted to know how TLS 1.3 would appear in Corelight data, and compare the same network conversation over clear-text HTTP, TLS 1.2, and TLS 1.3. In this first of three parts, I will introduce TLS and demonstrate a […]
How Zeek can provide insights despite encrypted communications
By Anthony Kasza, Security Researcher, Corelight Labs Overview Encrypted communications are ubiquitous. While encryption provides confidentiality, it cannot prevent all means of traffic analysis. Certain protocols, such as SSH and TLS, ensure contents are not directly readable by monitoring systems. However, analysis of size and order of transmitted data can provide grounds for inference. This […]
Examining aspects of encrypted traffic through Zeek logs
By Richard Bejtlich, Principal Security Strategist, Corelight In my last post I introduced the idea that analysis of encrypted HTTP traffic requires different analytical models. If you wish to preserve the encryption (and not inspect it via a middlebox), you have to abandon direct inspection of HTTP payloads to identify normal, malicious, and suspicious activity. […]
Network security monitoring is dead, and encryption killed it.
By Richard Bejtlich, Principal Security Strategist, Corelight This post is part of a multi-part series on encryption and network security monitoring. This post covers a brief history of encryption on the web and investigates the security analysis challenges that have developed as a result. I’ve been hearing this message since the late-2000s, and wrote a […]