Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Certain high value devices might only require a specific set of protocols for routine tasks. A high value device that initiates unusual protocol connections might indicate command-and-control (C&C) communication with an attacker-controlled server. High value devices are frequent targets for advanced persistent threat (APT) groups. Depending on which high value device was compromised, attackers might gain direct access to devices on a network or sensitive data.
The system might change the risk score for this detection.
Kill Chain
Risk Score
71
An adversary can choose from many attack techniques to install malware on a high value device, from performing supply-chain attacks to exploiting unknown (zero-day) vulnerabilities. Malware then initiates an outbound connection to an attacker-controlled server outside the network. The malware can send data to the attacker or receive malicious commands over a C&C connection.
The ExtraHop system detects C&C connections from high value devices by observing historical behavior. High value devices are designated by users or by the ExtraHop system, which automatically identifies high value devices based on their influence on network services. High value devices are often specialized to perform essential services and might be associated with specific behaviors. Malware might cause a compromised device to exhibit unusual behavior, such as outbound connections to new external endpoints over new protocols.
The following diagram shows one example scenario where malware installed on a high value device initiates an outbound connection to an attacker.
Block unnecessary protocols at the network perimeter
Quarantine the device while checking for indicators of compromise, such as the presence of malware
Implement network segmentation and the principle of least privilege on accounts to minimize the damage caused by a compromised device
