Detect and Stop the New Breed of Encrypted Attacks
The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?
delivered through encrypted channels
off the Land
in encrypted traffic on your critical infrastructure
that are leveraging encrypted pathways
How Attackers Use Encryption to Live Off the Land
Advanced attackers use encryption to decrease the likelihood of being caught and reduce the effectiveness of forensic investigation. As the use of encrypted protocols for network traffic inside the enterprise increases, attackers are finding that the stealthy channels they need are ready-made for them inside their target networks.
A new breed of attack technique is rapidly developing to take advantage of these preexisting encrypted channels.
Attackers use these techniques in many ways, including:
- Privilege escalation and persistence through Kerberos ticket attacks
- Using commonly encrypted protocols to rapidly and broadly distribute ransomware or other malicious files without detection
- Data exfiltration from databases, storage clusters, or cloud storage across encrypted protocols
Reveal(x) Detects Threats Other Tools Miss
Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.
Reveal(x) uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.
Reveal(x) can decrypt TLS 1.3, as well as the most exploited Microsoft protocols, including SMBv3, Kerberos, Active Directory, MSRPC, and more. This means Reveal(x) can catch advanced threats that are invisible to ETA-based solutions.
PrintNightmare and Ransomware
The PrintNightmare vulnerability offers attackers an encrypted channel for lateral movement and distribution of ransomware. The vulnerability affects every version of Windows.
The Microsoft Exchange vulnerabilities known collectively as ProxyLogon enable remote code execution across an encrypted channel. The potential impact is enormous due to the ubiquity of Microsoft Exchange.
Microsoft authentication protocols such as Kerberos, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.
When our organization was hit by DarkSide ransomware, ExtraHop Reveal(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.
LARGE NORTH AMERICAN RETAILER
Gain comprehensive visibility into
Catch threats transmitting malware in
Gain deeper forensic data to confidently
scope and respond to threats.
Explore the Demo
Stop data exfiltration, insider threats, and more
with the full product demo.