As someone relatively inexperienced with network threat hunting, I wanted to get some hands-on experience using a network detection and response (NDR) system. My goal was to understand how NDR is used in hunting and incident response, and how it fits into the daily workflow of a Security Operations Center (SOC). Corelight asked me to write a sponsored piece for The Hacker News about my experience using their Investigator threat hunting software (screenshot below).

While I’m new to threat hunting, I do have experience looking at network traffic flows. I was even an early user of one of the first network traffic analyzers  from Network General called Sniffer. Sniffers were specialized PCs equipped with network adapters designed to capture traffic and packets. These computers were the foundation on which more advanced network monitoring platforms were built. That Wikipedia link shows you how far we have come with designing useful control interfaces.

My day getting down and dirty with Corelight’s Investigator taught me valuable lessons on how to create threat hypotheses, understand how threats move about a network, and, more importantly, gave me an opportunity to learn more about how networks operate and how they can be defended in the modern era.