Blog
How Does Reveal(x) Detect Recon?
Network Detection and Response vs. Attacker Reconnaissance
Dale Norris
August 12, 2019
Welcome to the second in a series of blog posts developed as companion pieces to the live attack demo scenario (explore that here) that puts you in control of a network detection & response (NDR) product during an interactive attack. Read on to learn how ExtraHop Reveal(x) detects threats across the attack chain, starting with command and control and now zeroing in on reconnaissance.
How Reveal(x) Detects Reconnaissance
Before adversaries can execute an attack, they have to find a weak spot they can use to access your network and gain a foothold. That's where reconnaissance comes into play.
Reveal(x) is able to identify a large number of reconnaissance behaviors because of two key capabilities: visibility into Layer 2 through Layer 7 communications and machine learning-powered detections that extract 4,800 features across 70+ protocols.
In the Reveal(x) demo's live attack scenario, you can see several of the reconnaissance behaviors Reveal(x) detects in real time, including TCP SYN scanning, DNS internal reverse lookup scanning, DNS brute force, and ping scanning.
Let's focus on two of those reconnaissance methods: TCP SYN scanning and DNS reverse lookups.
Transmission Control Protocol (TCP) Synchronization (SYN) scans are the most common form of TCP scanning and involve trying to establish an open connection to the target port that's vulnerable to exploit.
Check out this blog if you're interested in learning more about port scanning.
Because TCP reconnaissance takes places at the network perimeter, where attackers look for targets that are easy to access from the internet, security teams usually configure Intrusion Detection Systems (IDS) and firewalls to detect these scans. However, adversaries can sneak past those defenses by altering the scanning rate.
Reveal(x) helps you track inbound and outbound traffic at the network perimeter, and applies both rules and behavioral analysis to detect known and unknown threats. This Reveal(x) detection also supports MITRE ATT&CK T1046: Network Scanning.
Domain Name System (DNS) reverse lookups are another popular method of reconnaissance, and one that Reveal(x) excels at detecting.
Although DNS reverse lookups can be fairly obvious, they can also be hard to find. This type of reconnaissance occurs on an incredibly busy protocol, and DNS reverse lookups are a legitimate activity to associate a domain name with an IP address. Most infrastructures do not log all DNS requests and/or responses, which makes investigation difficult if analysts receive an alert.
To detect this activity, Reveal(x) analyzes application-layer DNS request messages and leverages machine learning to separate normal and anomalous behavior before flagging suspect activity.
This Reveal(x) detection supports MITRE ATT&CK T1250 for Host and IP, and MITRE ATT&CK T1254: Conduct Active Scanning.
When it identifies a threat, Reveal(x) creates detection cards that provide background information on the behaviors, assigns them risk scores, and provides guided investigation workflows that allow you to drill down to forensic evidence in a few clicks.
If those behaviors occur in encrypted traffic, Reveal(x) has the decryption capabilities necessary to detect them.
In the next edition of our detections series, we'll show you how Reveal(x) detects exploitation behaviors. Happy threat hunting!
Discover more