Strategic Decryption

• Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.

ExtraHop both decrypts and decodes Kerberos traffic. By correlating Kerberos activity with network traffic, ExtraHop can trace an attacker's movement across the network. This enables ExtraHop to detect unusual patterns, identify compromised accounts and devices, and detect the following types of attacks:

• Golden Ticket Attacks: These attacks involve forging Kerberos tickets to gain persistent access. Extrahop detects the suspicious forged tickets and tracks who is using them.
• Silver Ticket Attacks: These attacks involve forging tickets for very specific services or actions. ExtraHop identifies the forged tickets.
• Pass-the-Hash/Pass-the-Ticket: Attackers reuse stolen Kerberos tickets or hashes. ExtaHop can reveal these reused credentials.
• Excessive Ticket Granting: A sudden surge in Kerberos ticket requests from a specific user or device is a red flag. ExtraHop can detect and show this in real-time, allowing the SOC to respond before the blast radius is too large
  
  

Access to Sensitive Resources: Monitoring Kerberos requests reveals unauthorized access attempts to critical servers or data stores. ExtraHop excels at tracking access to sensitive assets from anywhere on the network.

RMM tools, by design, have extensive privileges and remote control capabilities. This makes them a prime target for cyberattackers. Attackers can use these protocols and remote management tools to gain access to other machines and move laterally on the network after initially compromising one system. Both Proofpoint and Crowdstrike reported a sharp increase in RMM tool abuse as an attack vector. An example of threat groups exploiting RMM for first-stage use cases is TA583, a highly active unit that runs multiple campaigns a day, most of them using RMM.

ExtraHop’s RevealX can automatically identify RMM tools, detect RMM tool abuse, and track all the devices accessed by the suspicious RMM user. RevealX also provides packet forensics that look at the files transferred over the network, and carve out the actual file from packets transferred over the wire - allowing the SOC to quickly identify and stop malware before it spreads.

Microsoft authentication protocols such as MSRPC, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.

When our organization was hit by DarkSide ransomware, ExtraHop RevealX(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.