back caretBlog

How Does Reveal(x) Detect Threats?

Network Detection and Response vs. Command and Control

No matter how strong your digital defenses, your attack surface is always vulnerable. That's not an indictment of your security team. It's the reality of enterprise security in the 21st century.

Bad actors have the advantage over the good guys and gals charged with stopping them. Cyber criminals use increasingly sophisticated techniques, tactics, and procedures (TTPs) to slip past perimeter defenses, hide from legacy security solutions once they're inside, and then launch attacks.

You can level the playing field or even tip it in your favor with Reveal(x), regardless of whether the contest happens on-premises, at the edge of your network, or in the cloud.

To show how complete visibility, real-time detection, and guided investigation workflows help you stop the TTPs you're likely to encounter during an attack, we added a live attack scenario to our interactive Reveal(x) demo.

Take the Reveal(x) live attack scenario for a test drive to see how it works!

We've also created this companion blog series to dive deeper into specific Reveal(x) detections that alert you to what's happening at every stage of the attack chain.

For the first installment, we're tackling command and control, so tighten your chin strap.

How Reveal(x) Detects Command and Control

Unless an attacker is an employee or an old-school thief, they shouldn't have physical access to devices on your network and must take control of systems remotely. Command and control (C&C) activity can take place over control protocols such as RDP, SSH, or telnet. It can also occur over a custom protocol, or it can be disguised within the misuse of another protocol, such as Domain Name System servers, or DNS.

One very popular C&C method is DNS tunneling because it's difficult to detect and allows attackers to encode C&C messages or data payloads into otherwise benign DNS queries and responses.

Reveal(x) addresses this behavior in our live attack demo, detecting a C&C attempt in real time and creating a detection card you can use to get background information on the attack. The detection card explains what Reveal(x) found, assigns it a risk score, and allows you to see DNS details by clicking on the workstation being used in the attack, as well as an activity map and records.

Reveal(x) is able to detect DNS tunneling because it has visibility into Layer 7 of the OSI model, which you can learn more about here, allowing it to analyze application-layer details contained in transaction payloads.

Many enterprises with well-segmented networks keep a port open to DNS so that internal DNS servers can proxy DNS queries of external domains, making the ability to detect anomalous behaviors even more important.

Reveal(x) extracts more than 4,700 features across 50+ protocols, so it always knows what kind of behaviors should and shouldn't be happening across your network. Reveal(x) also accurately alerts you whenever suspicious activities occur.

If those activities occur in encrypted traffic, Reveal(x) has the decryption capabilities necessary to detect them.

In the next edition of our detections series, we'll show you how Reveal(x) detects reconnaissance behaviors. Happy threat hunting!

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed