Automated Retrospective Detection (ARD) Feature Overview

The Origins of ARD

Automated Retrospective Detection (ARD) is a new feature of the ExtraHop Reveal(x) 360 network detection and response platform. ARD automatically searches through historical network data to find evidence of previously undiscovered threats as soon as new indicators of compromise (IOCs) emerge. It allows organizations to run new detections on old network data so they can more quickly and easily see if they’ve been compromised by a newly discovered threat. (ExtraHop customers who began using ARD when ExtraHop first released it in beta mode in v9.0 of Reveal(x) 360 may know the feature as Retrospective Threat Intelligence or Retrospective TI.)

ARD evolved from work ExtraHop did to help customers identify whether SUNBURST had infected their environments. (SUNBURST is the name of the malware used in the SolarWinds supply chain attack that attackers were able to deploy months before the attack campaign was discovered.)

While helping customers respond to SUNBURST, ExtraHop saw a common need “to go back in time” and search historical records to find out if and when an organization had been compromised. To that end, an ExtraHop threat researcher created a Python script that queried the Reveal(x) API and went through the customer’s record store to look for associated IOCs, including the DNS and IP address associated with the attack.

Although the script was intended as a temporary fix, customers appreciated the powerful new functionality, which gave ExtraHop its first step toward a capability to look back into its record store for past malicious network activity and match it with industry-wide security events. The Python script evolved to become ExtraHop Threat Briefings, which apply ExtraHop-defined detectors in search of indicators of high-profile attacks and vulnerabilities like SUNBURST, Log4Shell, Spring4$hell, Revil ransomware, PrintNightmare, and more. Threat Briefings provide validated detections directly to end users within the Reveal(x) platform, helping analysts and incident responders cut through noise, prioritize investigations, and streamline response.

Now, ARD expands ExtraHop Threat Briefings to search historical network data for thousands of threats and exploits from the latest intelligence.

Major Advantages of ARD

• Relieves analysts of having to manually search through historical network records for threats
• Minimizes alert fatigue and false positives by prioritizing correlated threats
• Allows organizations to detect ongoing, previously undetectable attack campaigns earlier
• Identifies vulnerable endpoints
• Works with ExtraHop Threat Briefings
• Comes at no additional cost (no query cost, either)

How ARD Works

Reveal(x) 360 combines three powerful and differentiated capabilities to deliver ARD: a curated threat intelligence feed, the Reveal(x) 360 cloud record store, and a cloud analytics engine able to automate querying while continuously analyzing network traffic using artificial intelligence and machine learning.

ARD produces detections based on a huge amount of the most up-to-date threat intelligence by automatically searching historical network data in the ExtraHop Reveal(x) 360 cloud record store for related IOCs. This capability eliminates a significant blind spot for customers, enabling them to see more, know more, and stop more threats.

ARD automatically correlates new IOCs from threat intelligence data with packets and all other historical network activity to quickly spot threats that previously slipped past other security tools. In this manner, ARD continually assesses and verifies the security of an organization’s network as soon as new IOCs are ingested. It lets security teams know if their organization was compromised before IOCs were available and allows organizations to catch past compromises.

Where to Find ARD in Reveal(x) 360

Customers can find ARD on the expanded and enhanced Threat Briefings page in Reveal(x) 360.

Figure 1: Threat Briefings page in Reveal(x)

Threat briefings cover the following occurrences:

• Industry-wide security events, where Reveal(x) surfaces detections related to known compromises
• Security analysis briefings, which provide machine-learning analysis specific to a customer’s network
• Automated Retrospective Detectionbriefings, which detect new IOCs in updated ExtraHop-curated threat intelligence collections

Threat briefings contain detections of scans, exploits, and IOCs related to various threats. The information in each briefing varies depending on the type of threat. Information related to each briefing is cloud-updated as details emerge about IOCs, potential attack vectors, and known risks.

Figure 2: Reveal(x) 360 showing open detections on a specific ARD (RTI) briefing

Figure 3: Details about the ARD (RTI) briefing

Figure 4: Identifies offender and victim, empowers end users to take action and explore details including any associated records

Threat briefings are available from the top-left corner of the Security Overview page. Click any title to go to the detail page for that briefing. The detail page is updated as more information is discovered.

Here are some ways security teams can keep track of threat briefings:

• Create a threat briefing notification rule to receive emails when a new threat briefing appears.
• Click “Create Investigation” from the detail page to add the detections associated with the briefing to an investigation.
• Click “Archive Briefing” from the detail page when you no longer want to monitor a briefing; if the briefing gets updated, it will automatically be restored and a notification email will be sent. End users can view older briefings in the archived section on the Threat Briefing page. Click “Restore Briefing” on the detail page to move the briefing back to the active section of the Threat Briefing page.

To learn more about ARD, download the solution brief.