LATEST INTELLIGENCE
• Corelight alerts on SSH and RDP brute-forcing activity and flags known RDP clients such as Metasploit Scanner .
• The included x . 509 log shows certificate details for all TLS connections . The presence of selfsigned or expired certificates can serve as an early warning indicator of malware infection that could lead to a ransomware attack .
ICS / OT Collection
Corelight ’ s ICS / OT Collection delivers visibility into ICS / OT network communications , expediting incident response , and simplifying inventory management . It includes many of the most common ICS / OT protocols currently in use .
MID STAGE
ADVERSARY TECHNIQUES
Lateral movement Entering and controlling remote systems on a network , after initial access has been acquired .
Command and control ( C2 ) Establishing communication with the command and control servers .
Other known methods During the mid-stages of a ransomware attack , adversaries employ a number of techniques made transparent by Open NDR .
CORELIGHT DEFENSIVE CAPABILITIES
Self-signed or expired certificates Creating self-signed SSL / TLS certificates used during targeting .
ICS / OT attacks Various techniques , tools , and malware used to achieve intended effects on ICS / OT systems .
CORELIGHT DEFENSIVE CAPABILITIES
Encrypted Traffic Collection
This Corelight collection helps analysts identify the early stages of a ransomware attack , and includes inferences and detections around SSL , SSH , and RDP traffic .
To see lateral movement , Corelight uses signature and behavioral detection techniques to discover enumeration attacks , file transfers , remote procedure calls , windows authentication , and opening privileged file shares which could indicate attackers are expanding further into an organization ' s assets . Other ways Open NDR exposes mid-stage activity :
Core Collection
Detects lateral movement techniques in MITRE ATT & CK ® related to SMB and DCE-RPC traffic , such as indicators targeting Windows Admin Shares and Remote File Copy . Optionally extract detection-related files to enable investigations of suspicious traffic . p
PRESENTED BY
Download whitepapers free from www . intelligentcio . com / me / whitepapers /
www . intelligentcio . com INTELLIGENTCIO MIDDLE EAST 23