Welcome to the third in a series of blog posts developed as companion pieces to the live attack demo scenario (explore that here) that puts you in control of a network detection & response (NDR) product during an interactive attack. Read on to learn how ExtraHop Reveal(x) detects threats across the attack chain, starting with command and control, followed by reconnaissance, and now zeroing in on exploitation.
How Reveal(x) Detects Exploitation Behaviors
After an attacker successfully completes reconnaissance to identify vulnerabilities, they're ready to exploit assets. If you didn't catch the recon in time, it's crucial to detect activity at this stage of the attack lifecycle because adversaries haven't yet accessed sensitive systems.
Reveal(x) is able to quickly and accurately identify threats because our machine learning leverages hundreds of predictive models for every entity observed on the network to cover all aspects of their behavior and interactions.
In the Reveal(x) demo's live attack scenario, you can see a few of the behaviors indicative of exploitation attempts that Reveal(x) detects in real time, including DCSync and Brute Force.
DCSync and brute force techniques are listed under the Credential Access category of TTPs in the MITRE ATT&CK Framework. (Go here for our ungated white paper mapping Reveal(x) to the MITRE framework.) These techniques can be used to gain access to a Windows domain network's greatest prize: Active Directory.
DCSync is associated with Mimikatz, an open-source program for gathering user credentials from a Windows environment. It simulates the behavior of a domain controller in order to steal password data through domain replication.
Reveal(x) detects DCSync by using cloud-scale machine learning to match against known behaviors and indicators of compromise (IOCs) for this particular attack.
To gain access to and then exploit services, devices, or user accounts, an attacker can guess valid credentials with brute force techniques. Reveal(x) detects an unusually high number of login attempts and failures indicative of this type of attack.
Although brute force attempts originating from outside of the network are easy for perimeter-focused tools to detect, those tools can be blind to attempts that occur after a device has been compromised or when the attempts are from an insider threat.
By continuously monitoring and analyzing network traffic inside the perimeter, Reveal(x) fills in those blind spots and detects the internal threat in real time.
Once Reveal(x) detects a threat, analysts can access information-packed detection cards that contain a depth and breadth of information so that junior threat hunters can function as Tier 3 analysts.
Detection cards include details on the incident in progress; background information and clickable security framework references as well as a graphic of how the exploit works; risk factors for likelihood, complexity, and business impact; and finally, mitigation options for analysts to pursue.
With line-rate decryption, Reveal(x) also provides forensic-level detail for investigation into attacks that try to hide in SSL/TLS 1.3-encrypted traffic.
For the next blog in this series, we'll focus on lateral movement. Happy threat hunting!