- My goal
- The function of NDR in SOC workflows
- Beginning up the NDR system
- How AI enhances the human response
- What else did I check out?
- What might I see with NDR that I wouldn’t in any other case?
- Am I able to be a community safety analyst now?
My goal
As somebody comparatively inexperienced with community risk searching, I needed to get some hands-on expertise utilizing a community detection and response (NDR) system. My purpose was to grasp how NDR is utilized in searching and incident response, and the way it suits into the day by day workflow of a Safety Operations Heart (SOC).
Corelight’s Investigator software program, a part of its Open NDR Platform, is designed to be user-friendly (even for junior analysts) so I assumed it will be a great match for me. I used to be given entry to a manufacturing model of Investigator that had been loaded with pre-recorded community visitors. It is a frequent option to learn to use the sort of software program.
Whereas I’m new to risk searching, I do have expertise taking a look at community visitors flows. I used to be even an early consumer of one of many first community visitors analyzers known as Sniffer. Sniffers have been specialised PCs outfitted with community adapters designed to seize visitors and packets. These computer systems have been the muse on which extra superior community monitoring platforms have been constructed. Again within the mid-Eighties, these instruments have been costly and required quite a lot of coaching. Deciphering the terse, cryptic knowledge they produced was difficult, and understanding methods to translate these insights into actionable subsequent steps took endurance and experience. Now, virtually forty years later, I needed to see how safety groups are conducting on a regular basis community searching when complicated, quick assaults are the norm—and the way rapidly I might choose up the brand new instruments.
The function of NDR in SOC workflows
Earlier than I bounce into my expertise, let me clarify how NDR integrates with the SOC.
NDR methods are most ceaselessly utilized by mid- to elite-level safety operations. In these environments, NDR is a key a part of incident response and risk searching workflows. The methods present deep visibility throughout networks whereas additionally detecting intrusions and anomalies. This visibility is vital not only for recognizing extra complicated assaults, but additionally for uncovering misconfigurations or vulnerabilities that may result in breaches or outages. NDR helps analysts triage occasions and may present course and associated insights to find out the precise response.
Integrating NDR with the SOC’s Safety Info and Occasion Managers (SIEMs), endpoint detection and response (EDR) options, and firewalls permits analysts to assemble, enrich, and correlate community knowledge with widespread occasions. Collectively, these integrations let analysts reply quicker and extra effectively by connecting community insights with alerts and actions from different instruments, particularly when discovering extra superior assaults that may evade EDR, for instance. Realizing NDR is a central part of the SOC, I used to be wanting to see how the workflows functioned.
Beginning up the NDR system
If you first open Investigator, you’re greeted by a dashboard that shows a ranked listing of the most recent highest threat detections, listed by IP deal with and their frequency of incidence. Most investigations begin as a result of some suspicious exercise on the community triggered an alert. This prompts an analyst to type a speculation about why the occasion appeared on the dashboard, then drill down into the alert’s particulars to validate or disprove the concept.
Clicking by means of the listing, I might see strong particulars in regards to the particular points that have been flagged. In my case, I used to be taking a look at proof of a few exploit instruments in use (together with an outdated favourite of mine, NMAP). These have been additionally utilizing reverse command shells to execute malware, a dodgy DNS server, and a collection of packets that documented a dialog between a suspicious pair of IP addresses. I noticed straight away how Investigator’s added context is vital.
Somewhat than having to determine community visitors patterns and their that means, Investigator’s dashboard defined this for me and added much more context; every itemizing additionally confirmed which methods from the MITRE ATT&CK® framework have been concerned, serving to me perceive the broader significance of the occasion. This degree of element is a good way to coach your self about unfamiliar exploits, as a result of you’ll be able to rapidly drill down into the specifics of every alert to achieve deeper insights into the contents of the community packets concerned.
This was additionally my probability to discover the GenAI options constructed into the device. I might ask some pre-set questions, reminiscent of “ What type of attack is associated with this alert?” It will reply with a beneficial plan of action in step-by-step element. For instance, it suggested me to look explicit logs for telltale indicators {that a} node was speaking with an exterior command-and-control server and to test if it had despatched a specific malware payload. It defined methods to see if the risk was shifting laterally to another a part of the community.
It could sound sophisticated, however my rationalization truly takes longer than it did to click on round and get these particulars after I was contained in the product. This investigative course of is prime for any SOC analyst who should piece collectively fragments of knowledge to type a coherent image of what the adversary is doing. On this case, the GenAI was surfacing insights and actionable subsequent steps, clarifying the investigation course of and permitting me to deal with my evaluation.
How AI enhances the human response
Built-in AI is actually not distinctive in at present’s assortment of safety merchandise, however this was a useful characteristic. What I appreciated in regards to the AI hints was that they have been really helpful, and never annoying, as a few of the consumer-grade chatbots could be. There are clear workflow steps, reminiscent of:
• Determine the exploit timeline and use your varied log information to correlate related IP addresses
• Determine the DNS origins
• Suss out HTTP requests and file transfers, and so forth.
These bulleted objects weren’t just a few dry options talked about in advertising supplies however precise parts of my risk searching. Actually, I knew—at the least from afar—about why these have been vital and the way these varied items match collectively from my earlier expertise utilizing community analyzers. However having these workflows spelled out by the AI introduced my very own ideas into focus and helped me construct and clarify the narrative of an assault. I noticed how these AI-based recommendations might allow a human analyst to find out methods to extra rapidly reply to the incident and start mitigating its impression. For instance, when seeing a file switch, you’ll be able to work out the file’s vacation spot in addition to whether or not it accommodates malware or different suspicious content material.
Additionally, the generated hints and explanations are situated in simply the precise place on-screen in order to be a pure match into an analyst’s workflow. Given the variety of methods malware can enter a community, it’s good to have the following tips and hints that may upskill analysts and function well timed reminders on methods to sift by means of varied alerts. Once more, the AI device helps me perceive the main points related to every alert, reminiscent of why it occurred, the place it got here from, and the potential harm it brought about.
Lastly, Corelight makes pains to state that Investigator “only shares data with the model when an analyst is investigating a threat, and we do not use customer data for training the AI model.” To that finish, there are two distinct integrations: one for personal knowledge (like IP addresses and buyer particulars) and one for public knowledge (that doesn’t reveal something particular in regards to the underlying community visitors), which could be operated independently. To allow each of those integrations, you simply go to the Settings web page and easily flip them on.
What else did I check out?
Investigator comes with dozens of specialised dashboards that allow deeper evaluation. For instance, three dashboards are associated to anomaly detection: one gives an general abstract, one other affords detailed data, and a 3rd shows the primary time one thing has been noticed on the community. This final show is especially helpful as a result of it might present analysts novel methods: indicators of a brand new anomaly, for instance. With this degree of granularity, analysts have the info they should decide whether or not an occasion is actually malicious, merely the results of a software program misconfiguration, or simply an uncommon however innocent incidence.
One other complementary method I checked out was the Investigator’s built-in command line panel, the place I might seek for particular situations. A great way to study extra in regards to the syntax and use for this portion of the product could be present in Corelight’s Threat Hunting Guide, where you can cut and paste the sample command strings directly into your Investigator searches, and copy their syntax for your own purposes. This can help analysts become more familiar with the data so they can use it to threat hunt unknown attacks in the future.
What could I see with NDR that I wouldn’t otherwise?
An NDR platform provides two important benefits: enrichment and integration. Each network connection is enriched with data collected by the Investigator. This can include not just which IP address triggered an alert, but how the activity compares to your normal network baseline activity. Analyzing traffic from normal baseline periods is invaluable because it lets you quickly spot the difference between, say, everyday access to a SQL server and unusual activity flagged by the system. When something seems off, all the context you need is right at your fingertips. You don’t, for example, need to recall that port 123 is used for the Network Time Protocol, nor what kinds of exploits can happen if someone is messing with it.
Enrichment also helps to correlate a particular event with other related data points that explain what you’re seeing. This gets to its other benefit: integration with other security tools. Integrations are how the enriched metadata is collected and shared. For example, log files can be exported to a number of SIEMs for further correlation analysis. NDR insights can be combined with EDR tools like CrowdStrike Falcon® to block a particular server or host, or to block a particular IP address in combination with a firewall like Palo Alto Networks. Threat intelligence rules used in technologies such as Suricata® and Yara, and other indicators of compromise, can be added for further defense.
These integrations allow you to combine NDR’s network visibility with EDR, making it possible to identify which endpoints or hosts may be the source of suspicious activity or could be compromised by a bad actor. It’s particularly advantageous when tracking malware. Today, it’s common to see malware that moves across multiple threat domains (such as this recent exploit that used a burner email account, a compromised South African router, a phishing-as-a-service package, and infrastructure that connected machines in Russia, the US, and Croatia). Having this level of network visibility is crucial to understanding these complex relationships and threat movements.
More than 50 such integrations are possible using Corelight’s solution, so it can be used as a way to add information from many different detection sources, and these results can be exported to many products that offer resolution. Having a repository of common vulnerability details like these can be a ready reference for a SOC analyst who might have already seen that particular vulnerability or who is learning about new exploits. Adding these integrations is straightforward, too. For example, you can block traffic from specific IP addresses by adding them to Palo Alto’s External Dynamic Lists and simply exchanging cryptographic keys.
Am I ready to be a network security analyst now?
Not quite. While I like and want to stick with my day job (writing about security and testing new products), this experience brought me more in touch with what the day-to-day SOC analyst does for a living. By using Investigator, I was able to take my basic skills and network protocol knowledge and extend them into actionable tasks. It was also helpful in helping me learn about the inner operations of the various exploits that it found moving across my sample network. Think of Investigator as a force multiplier for your SOC’s middle-level staff, saving them time and providing more resources to figure out threats and mitigations.
This examination of the inner workings comes from being able to tie together an alert with other parts of the network — a custom DNS provider, a web host that shouldn’t be sending data somewhere, or an open cloud data store — that could lead towards the key to unwinding a particular exploit.
Without an NDR platform to collect and correlate all this information, I would be mostly scrambling to find the separate bits and pieces of data, or manually cutting and pasting data from one security program to another. This way, I had the entire data corpus at my fingertips, complete with the connection relationships and activity that the software automatically surfaces. I didn’t have to fumble around with the cut and paste of an IP address or a search string: instead, I just clicked on the particular element, and the software showed me the particular relationship.
Yes, things have changed since those early days of the Sniffer. But my day getting down and dirty with Corelight’s Investigator taught me valuable lessons on how to create threat hypotheses, understand how threats move about a network, and, more importantly, gave me an opportunity to learn more about how networks operate and how they can be defended in the modern era. To learn more about Corelight’s open NDR platform, visit corelight.com. If you are curious to learn more about how elite SOC teams use Corelight’s open NDR platform to detect novel attack types, including those leveraging AI techniques, visit corelight.com/elitedefense.
Note: This article was thoughtfully written and contributed for our audience by David Strom.
