Strategic Decryption

Detect and Stop the New Breed of Encrypted Attacks

The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?

Ransomware Attacks

delivered through encrypted channels

Attackers Can Hide

in encrypted traffic on your critical infrastructure

High-Risk Vulnerabilities

that are leveraging encrypted pathways

How Attackers Use Encryption to Live Off the Land

Advanced attackers use encryption to decrease the likelihood of being caught and reduce the effectiveness of forensic investigation. As the use of encrypted protocols for network traffic inside the enterprise increases, attackers are finding that the stealthy channels they need are ready-made for them inside their target networks.

A new breed of attack technique is rapidly developing to take advantage of these preexisting encrypted channels.

Attackers use these techniques in many ways, including:

Privilege escalation and persistence through Kerberos ticket attacks
Using commonly encrypted protocols to rapidly and broadly distribute ransomware or other malicious files without detection
Data exfiltration from databases, storage clusters, or cloud storage across encrypted protocols

How the City of Dallas Leverages RevealX for Unmatched Network Visibility

Read their story

RevealX Detects Threats Other Tools Miss

Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.

RevealX uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.

RevealX can decrypt TLS 1.3, as well as the most exploited Microsoft protocols, including SMBv3, Kerberos, Active Directory, MSRPC, and more. This means RevealX can catch advanced threats that are invisible to ETA-based solutions.

Kerberos & Golden Ticket Attacks

ExtraHop both decrypts and decodes Kerberos traffic. By correlating Kerberos activity with network traffic, ExtraHop can trace an attacker's movement across the network. This enables ExtraHop to detect unusual patterns, identify compromised accounts and devices, and detect the following types of attacks:

Golden Ticket Attacks: These attacks involve forging Kerberos tickets to gain persistent access. Extrahop detects the suspicious forged tickets and tracks who is using them.
Silver Ticket Attacks: These attacks involve forging tickets for very specific services or actions. ExtraHop identifies the forged tickets.
Pass-the-Hash/Pass-the-Ticket: Attackers reuse stolen Kerberos tickets or hashes. ExtaHop can reveal these reused credentials.
Excessive Ticket Granting: A sudden surge in Kerberos ticket requests from a specific user or device is a red flag. ExtraHop can detect and show this in real-time, allowing the SOC to respond before the blast radius is too large

Access to Sensitive Resources: Monitoring Kerberos requests reveals unauthorized access attempts to critical servers or data stores. ExtraHop excels at tracking access to sensitive assets from anywhere on the network.

Remote Monitoring and Management (RMM) Exploitation Attacks

RMM tools, by design, have extensive privileges and remote control capabilities. This makes them a prime target for cyberattackers. Attackers can use these protocols and remote management tools to gain access to other machines and move laterally on the network after initially compromising one system. Both Proofpoint and Crowdstrike reported a sharp increase in RMM tool abuse as an attack vector. An example of threat groups exploiting RMM for first-stage use cases is TA583, a highly active unit that runs multiple campaigns a day, most of them using RMM.

ExtraHop’s RevealX can automatically identify RMM tools, detect RMM tool abuse, and track all the devices accessed by the suspicious RMM user. RevealX also provides packet forensics that look at the files transferred over the network, and carve out the actual file from packets transferred over the wire - allowing the SOC to quickly identify and stop malware before it spreads.

Microsoft Protocol Attacks

Microsoft authentication protocols such as MSRPC, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.

When our organization was hit by DarkSide ransomware, ExtraHop RevealX(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.

When our organization was hit by DarkSide ransomware, ExtraHop Reveal(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.

LARGE NORTH AMERICAN RETAILER

Additional reading on decryption

Blog

How RevealX Combats 5 Top Microsoft Exploits

Read the blog

Blog

Detecting RMM Software with ExtraHop

Read the blog

Whitepaper

RevealX™ and the MITRE ATT&CK® Framework

How RevealX Differentiators Fuel Breadth and Depth of MITRE ATT&CK Coverage

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Strategic Decryption

Detect and Stop the New Breed of Encrypted Attacks

The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?

Ransomware Attacks

delivered through encrypted channels

Attackers Can Hide

in encrypted traffic on your critical infrastructure

High-Risk Vulnerabilities

that are leveraging encrypted pathways

How Attackers Use Encryption to Live Off the Land

Attackers use these techniques in many ways, including:

How the City of Dallas Leverages RevealX for Unmatched Network Visibility

Read their story

RevealX Detects Threats Other Tools Miss

Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.

RevealX uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.

RevealX can decrypt TLS 1.3, as well as the most exploited Microsoft protocols, including SMBv3, Kerberos, Active Directory, MSRPC, and more. This means RevealX can catch advanced threats that are invisible to ETA-based solutions.

Kerberos & Golden Ticket Attacks

Remote Monitoring and Management (RMM) Exploitation Attacks

Microsoft Protocol Attacks

When our organization was hit by DarkSide ransomware, ExtraHop Reveal(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.

Additional reading on decryption

How RevealX Combats 5 Top Microsoft Exploits

Read the blog

Detecting RMM Software with ExtraHop

Read the blog

RevealX™ and the MITRE ATT&CK® Framework

Download the paper

The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?

Ransomware Attacks

delivered through encrypted channels

Attackers Can Hide

in encrypted traffic on your critical infrastructure

High-Risk Vulnerabilities

that are leveraging encrypted pathways

How Attackers Use Encryption to Live Off the Land

Attackers use these techniques in many ways, including:

How the City of Dallas Leverages RevealX for Unmatched Network Visibility

Read their story

RevealX Detects Threats Other Tools Miss

Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.

RevealX uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.

RevealX can decrypt TLS 1.3, as well as the most exploited Microsoft protocols, including SMBv3, Kerberos, Active Directory, MSRPC, and more. This means RevealX can catch advanced threats that are invisible to ETA-based solutions.

Kerberos & Golden Ticket Attacks

Remote Monitoring and Management (RMM) Exploitation Attacks

Microsoft Protocol Attacks

Additional reading on decryption

How RevealX Combats 5 Top Microsoft Exploits

Read the blog

Detecting RMM Software with ExtraHop

Read the blog

RevealX™ and the MITRE ATT&CK® Framework

Download the paper