Data, such as sensitive documents, may be exfiltrated through the use of automated processing or scripting after being gathered during collection.
Attackers may use automated tools to exfiltrate sensitive data from a compromised host to an external server. For example, a custom tool uploading compressed or encrypted data to a website, FTP server, or email account. Zeek can monitor HTTP, FTP, and email traffic, allowing defenders to identify high volumes of traffic to unknown hosts or connections that occur on a regular schedule. Any point in the network where Corelight sees this traffic will be monitored and logged in the protocol-specific log. Depending on the transfer method, Zeek will track the names of the files and the method of exfiltration.
This package helps defenders identify the typical direction and volume of data transfer between two hosts and to identify when it changes.
Corelight Sensors run the Zeek NSM, which includes an event-driven scripting language that provides the primary means for an organization to extend and customize Corelight Sensors. The scripts alert Corelight Sensors about pre-defined events then capture information about that connection and trigger a function. For example, the ssl.log file is generated by a script that walks the entire certificate chain and issues notifications if any of the steps along the certificate chain are invalid.
Developed by MITRE for organizations that have deployed the Zeek / Bro Network Security Monitor, these scripts utilize selected protocol analyzers (SMB and DCE-RPC) and the File Analysis Framework to uncover a range of Execution, Persistence, Lateral Movement, Defensive Evasion, Credential Access—and in particular Discovery—techniques. Learn more at GitHub.
Tune into this prerecorded (runtime 1 hour) webcast to hear from world-class security operators Richard Bejtlich and James Schweitzer as they dig into the MITRE framework and review concrete, step-by-step eamples of how you can use Zeek to significantly improve your visibility into and defenses against Lateral Movement (TA0008), Data Exfiltration (TA0010), and Command and Control (C2) (TA0011) tactics. Watch.