Secure Networks: Endace Packet Forensics Files
"Secure Networks: Endace Packet Forensics Files" features interviews with leading cybersecurity and networking experts from companies such as Cisco, Darktrace, Palo Alto Networks, and others. It focuses on the issues that Security, Network Operations and DevOps teams face in securing and managing their networks and applications and provides insights into best practices and future developments.
Secure Networks: Endace Packet Forensics Files
Episode 65: Cody Spooner, Senior Sales Engineer and IR expert, Corelight
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of the Endace Packet Forensic Files, Michael chats with with Cody Spooner, Principal Sales Engineer and DFIR expert at Corelight, about an interesting topic: the subtleties and differences of “Enablers" vs "Behaviors” of a cybersecurity compromise.
Cody explains that when most people think of threat hunting or incident response investigations, they picture analysts looking for signs of malicious activity. In reality there are critical subtle differences between the “behavior of a compromise” and the underlying “enabler of a compromise” that often go unnoticed or overlooked. He highlights how organizations tend to focus heavily on detecting malicious behaviors - such as data exfiltration or unauthorized logins - but often miss identifying the enabling conditions - such as misconfigurations or legacy protocols - that led to those compromises in the first place.
Cody shares examples of seemingly harmless issues that can become the doorway to a full compromise, such as configuration issues or outdated or deprecated protocols like NTLMv1 and SMBv1. These often persist in modern environments and Cody suggests that incident responders and threat hunters can usefully focus on identifying and eliminating these enablers to reduce the organisation's risk profile.
Cody gives advice for security teams on how to shift their mindset from focusing only on behaviors to focusing on enablers as well in their threat hunting activity. He also provides insights into how IR teams should interpret and contextualize indicators of compromise and discusses how the “why” behind an attack can often change or influence the response strategy.
ABOUT ENDACE
*****************
Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance.
EndaceProbes are deployed on some of the world's largest, fastest and most critical networks. EndaceProbe models are available for on-premise, private cloud and public cloud deployments - delivering complete hybrid cloud visibility from a single pane-of-glass.
Endace’s open EndaceProbe Analytics appliances (https://www.endace.com/endaceprobe) can be deployed in on-premise locations and can also host third-party security and performance monitoring solutions while simultaneously recording a 100% accurate history of network activity.