Sign In
Strategic Decryption
Detect and Stop the New Breed of Encrypted Attacks
The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?
Ransomware Attacks
delivered through encrypted channels
Attackers Can Hide
in encrypted traffic on your critical infrastructure
High-Risk Vulnerabilities
that are leveraging encrypted pathways
How Attackers Use Encryption to Live Off the Land
Advanced attackers use encryption to decrease the likelihood of being caught and reduce the effectiveness of forensic investigation. As the use of encrypted protocols for network traffic inside the enterprise increases, attackers are finding that the stealthy channels they need are ready-made for them inside their target networks.
A new breed of attack technique is rapidly developing to take advantage of these preexisting encrypted channels.
Attackers use these techniques in many ways, including:
- Privilege escalation and persistence through Kerberos ticket attacks
- Using commonly encrypted protocols to rapidly and broadly distribute ransomware or other malicious files without detection
- Data exfiltration from databases, storage clusters, or cloud storage across encrypted protocols
How the City of Dallas Leverages RevealX for Unmatched Network Visibility
RevealX Detects Threats Other Tools Miss
Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.
RevealX uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.
Kerberos & Golden Ticket Attacks
ExtraHop both decrypts and decodes Kerberos traffic. By correlating Kerberos activity with network traffic, ExtraHop can trace an attacker's movement across the network. This enables ExtraHop to detect unusual patterns, identify compromised accounts and devices, and detect the following types of attacks:
- Golden Ticket Attacks: These attacks involve forging Kerberos tickets to gain persistent access. Extrahop detects the suspicious forged tickets and tracks who is using them.
- Silver Ticket Attacks: These attacks involve forging tickets for very specific services or actions. ExtraHop identifies the forged tickets.
- Pass-the-Hash/Pass-the-Ticket: Attackers reuse stolen Kerberos tickets or hashes. ExtaHop can reveal these reused credentials.
- Excessive Ticket Granting: A sudden surge in Kerberos ticket requests from a specific user or device is a red flag. ExtraHop can detect and show this in real-time, allowing the SOC to respond before the blast radius is too large
Access to Sensitive Resources: Monitoring Kerberos requests reveals unauthorized access attempts to critical servers or data stores. ExtraHop excels at tracking access to sensitive assets from anywhere on the network.
Remote Monitoring and Management (RMM) Exploitation Attacks
RMM tools, by design, have extensive privileges and remote control capabilities. This makes them a prime target for cyberattackers. Attackers can use these protocols and remote management tools to gain access to other machines and move laterally on the network after initially compromising one system. Both Proofpoint and Crowdstrike reported a sharp increase in RMM tool abuse as an attack vector. An example of threat groups exploiting RMM for first-stage use cases is TA583, a highly active unit that runs multiple campaigns a day, most of them using RMM.
ExtraHop’s RevealX can automatically identify RMM tools, detect RMM tool abuse, and track all the devices accessed by the suspicious RMM user. RevealX also provides packet forensics that look at the files transferred over the network, and carve out the actual file from packets transferred over the wire - allowing the SOC to quickly identify and stop malware before it spreads.
Microsoft Protocol Attacks
Microsoft authentication protocols such as MSRPC, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.
When our organization was hit by DarkSide ransomware, ExtraHop RevealX(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.
When our organization was hit by DarkSide ransomware, ExtraHop Reveal(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.
LARGE NORTH AMERICAN RETAILER
