New in Reveal(x): NetFlow Sensor, Detection of Dual-Use Tools, French and German Translations, and More

The latest release of the ExtraHop Reveal(x) NDR platform includes a new NetFlow network traffic sensor to help users monitor network performance and identify denial-of-service attacks, viruses, and other security threats.

Reveal(x) also features new detections of dual-use cybersecurity tools that threat actors frequently use in attacks, and it recommends which security threats analysts should prioritize.

In addition, German and French speakers will find it easier to use Reveal(x), because the user interface, Threat Briefings, and other documentation are now translated into their languages. Several significant additions in the 9.4 release are detailed below.

New NetFlow sensor

NetFlow, a network protocol used to collect IP traffic information from Cisco devices, is a compliance requirement for many organizations. The new NetFlow sensor provides expanded attack surface visibility, leveraging network traffic analysis for flow-based security, and network performance monitoring workflows for Reveal(x) users. Specifically, the new sensor can detect and troubleshoot network problems and point users to rapid resolutions, allowing them to efficiently allocate network resources.

The sensor can also detect potential security and policy violations on the network. The sensor extends NetFlow data to security use cases and brings all of its findings into a single unified console. NetFlow data can then be used for security analysis within the Reveal(x) platform to quickly identify and monitor denial-of-service attacks and data exfiltration.

This new sensor offers enhanced NetFlow analysis for both security and performance workflows to easily collect data from Cisco NetFlow versions 5 and 9 and IPFIX. The sensor gives users network context to proactively identify network problems and respond to malicious behavior.

French and German Localization

The Reveal(x) user interface, detections, documentation, and other materials are now available in French and German. With the expanded language support, users will be able to toggle instantly back and forth between available languages. All of the UI and navigation tools will be translated, as well as Threat Briefings, expanded detection content, and select machine learning detections.

The translations should significantly ease training and implementation for native French- and German-speaking users.

Detection of Dual-Use Tools

Reveal(x) now features expanded identification of dual-use cybersecurity tools that threat actors deploy to evade endpoint detection. These dual-use tools, including remote access and network scanning software, can be deployed in enterprise IT environments for legitimate purposes, but threat actors also use them to make their malicious activities appear legitimate.

The dual-use tools that Reveal(x) can detect include Advanced IP Scanner, Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle. While the appearance of one of these tools doesn’t necessarily mean an organization is compromised, the detection of the tool may give analysts a reason to investigate why it’s there.

Reveal(x) detects unusual cases of dual-use tools appearing on customer networks. The high-fidelity detections of these tools are designed to help users achieve faster breach identification and response times.

Detections for Smart Triage

A new feature in Reveal(x) automatically sends security analysts detections that should be prioritized. The feature, based on contextual analysis of detections and assets in the customer environment, is designed to help Reveal(x) users avoid decision fatigue and choice overload. Known as Smart Triage, the feature will help security analysts decide where to focus their attention when investigating possible security incidents.

With Smart Triage, Reveal(x) will recommend detections for priority handling based on several factors, including the presence of a device with significant threat activity on it, the presence of a high-value asset, and the rarity of the specific type of detection in the customer environment.

The triage functionality covers multiple types of detections, and customers can filter detections based on whether they are recommended for triage.

Identification of Vulnerability Scanners for Cloud Services

The latest release of Reveal(x) reduces vulnerability scanner noise for users by identifying external vulnerability scanners targeting cloud services. Many of these external vulnerability scanners have legitimate uses for helping organizations understand their security posture, but others are used by threat actors to infiltrate an organization’s network.

Users can now identify the cloud services targeted by these vulnerability scanners, and the feature allows users to filter and tune only trusted vulnerability scanners.

Reveal(x) can identify about 50 known vulnerability scanners, including Shodan and Censys.

New Detectors and MOVEit Threat Briefing

Reveal(x) will have expanded detection coverage of attacker tools and techniques, including Brute Ratel, Emotet, and 21 new families of ransomware. Also included are 11 improved pattern-based detections for ransomware, and detections of 104 ransomware extensions.

In addition, a Threat Briefing for critical vulnerabilities in the MOVEit file transfer program was released earlier this year. The Threat Briefing covers the multiple SQL injection vulnerabilities in MOVEit, and it provides customers with an overview of devices on their networks running MOVEit. The Threat Briefing allows users to quickly identify vulnerable devices and apply a patch provided by MOVEit vendor Progress Software.

The Threat Briefing also allows customers to review connections made to the MOVEit cloud service before June 16, when Progress Software released its patch.

To see Reveal(x) in action, take our self-guided demo.