Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Certain types of devices might only require a specific set of protocols for routine tasks. For example, VoIP phones communicate over the SIP and RTP protocols to send and receive calls and never communicate over SMB. If an attacker compromises a device on the network, they might conduct malicious activity (such as exfiltration or scanning) over unconventional protocols. Unconventional protocol activity should be examined before it enables critical or costly attacks.
The system might change the risk score for this detection.
Kill Chain
Risk Score
60
An adversary can choose from many attack techniques to compromise a device, from performing supply-chain attacks to exploiting unknown (zero-day) vulnerabilities. This detection surfaces stealthy attack behavior attributed to a number of techniques by identifying unconventional behavior of a compromised device. First, the ExtraHop system observes the network behavior of each device on the network and looks for similarities among their protocol and host interactions. Next, the ExtraHop system applies a clustering algorithm that identifies groups of devices that similarly behave. Over time, as new behaviors are observed, the ExtraHop system can detect when a device is no longer acting conventionally compared to similar devices.
The following diagram shows one example scenario with several clusters of similarly behaving devices, where an R&D build server is compromised through a supply-chain attack and starts communicating with an HR file share over the SSH protocol. The new behavior of this compromised server is unconventional compared to the behavior of similar R&D build servers.
Remove or disable any extraneous applications, services, and daemons on the device
Quarantine the device while checking for indicators of compromise, such as the presence of malware
Implement strong authentication methods for remote access services
Implement network segmentation and the principle of least privilege on accounts to minimize the damage caused by a compromised device
