Safeguarding an organization’s virtual realms has never been more important. Today, connectivity and data are the new currency. Yet, as technology advances, so do the malicious actors and their methods, constantly devising more unique and covert ways to breach defenses. Herein lies the role of detection engineering. Acting as the digital watchtower for organizations, detection engineering responds to known threats and continuously scans the horizon for the slightest hint of a potential breach.

In Part 1 of this series, we talked about some challenges with building sufficient coverage for detecting security threats. We also discussed how telemetry sources like logs are invaluable for detecting potential threats to your environment because they provide crucial details about who is accessing service resources, why they are accessing them, and whether any changes have been made.

Do you model Cyber Threats, depict likely attack scenarios via Attack Trees and provide those findings back in a succinct manner to those responsible for the risk(s)? Surely that’s for the proviso of large companies, with big budgets and oodles of staff? I hear you say… Perhaps, but any organisation large or small can start to model their Cyber Threats. Why?

Over the past few months, ransomware targeting healthcare organizations has been on the rise. While ransomware is nothing new, targeting healthcare organizations, at the extreme, can impact an organization’s ability to engage in anything from routine office visits to life-or-death diagnoses, treatments, and patient care.

In my previous article, I proposed ways that modern network-derived evidence applies to the cyber kill chain—a concept created by Eric Hutchins, Michael Cloppert, and Rohan Amin that changed how security teams approach defending their digital assets. This article focuses on an evolved, non-linear version of the kill chain called the “kill web.”

During Black Hat 2023 in Las Vegas, our Corelight team worked effectively and speedily with our first-rate Black Hat NOC partners Arista, Cisco, Lumen, NetWitness and Palo Alto Networks. I was fortunate enough to be a member of the NOC team at the show, helping to defend the Black Hat network. In this blog, I’ll share my experience within the Network Operations Center (NOC) as well as an incident that we detected, investigated, triaged, and closed using Corelight’s Open NDR Platform.

In the first installment of this three-part series based on our recent white paper, The Skeptic’s Guide to Buying Security Tools, we outlined an evidence-based approach to helping your organization justify a new security tool purchase. This included identifying where security gaps exist, if those gaps could be filled by existing tools, and—if not—how to evaluate potential tools that could help.

When Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin published their paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” in late 2010, they changed the way security personnel thought about defending their digital assets. The paper continues to be a useful model for defense today. This article proposes ways that modern network-derived evidence applies to the kill chain.

As a principal security researcher on Corelight’s Labs team, I help to solve difficult network security research problems at scale. Corelight’s customers might recognize some of my work if you see the packages “VPN Insights” or “App ID” on your sensors. Outside of my day-to-day role, I have a hobby podcast called eCrimeBytes where we lightheartedly discuss an electronic crime case each week.