Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption isn't an optimal or possible solution.
Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. And Corelight's commercial solutions extend Zeek's capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer or keystrokes over SSH.
Register for this technical webcast to hear from Aaron Soto, Director of Learning at Corelight, and SANS Instructor Matt Bromiley about their experience using Zeek and Corelight to threat hunt and learn how you can apply their insights in your environment, whether traffic is encrypted, or not.