$400 Amazon Gift Card with OnDemand Training through March 10 - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

How To Threat Hunt in Encrypted Network Traffic

  • Tuesday, December 10, 2019 at 1:00 PM EST (2019-12-10 18:00:00 UTC)
  • Aaron Soto, Matt Bromiley


  • Corelight

You can now attend the webcast using your mobile device!



Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption isnt an optimal or possible solution.

Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. And Corelights commercial solutions extend Zeeks capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer or keystrokes over SSH.

Register for this technical webcast to hear from Aaron Soto, Director of Learning at Corelight, and SANS Instructor Matt Bromiley about their experience using Zeek and Corelight to threat hunt and learn how you can apply their insights in your environment, whether traffic is encrypted, or not.

Speaker Bios

Aaron Soto

Aaron Soto is at Corelight, teaching users about the Zeek network monitoring platform. He's recently been part of the Metasploit development team, DEF CON’s OpenSOC blue team capture-the-flag event, and coaching UT Austin students on both defensive and offensive techniques. His passion is teaching up-and-coming blue teams how to find and stop attacks on their networks.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.