LARGE NORTH AMERICAN RETAILER
Advanced attackers use encryption to decrease the likelihood of being caught and reduce the effectiveness of forensic investigation. As the use of encrypted protocols for network traffic inside the enterprise increases, attackers are finding that the stealthy channels they need are ready-made for them inside their target networks.
A new breed of attack technique is rapidly developing to take advantage of these preexisting encrypted channels.
Access to Sensitive Resources: Monitoring Kerberos requests reveals unauthorized access attempts to critical servers or data stores. ExtraHop excels at tracking access to sensitive assets from anywhere on the network.
RMM tools, by design, have extensive privileges and remote control capabilities. This makes them a prime target for cyberattackers. Attackers can use these protocols and remote management tools to gain access to other machines and move laterally on the network after initially compromising one system. Both Proofpoint and Crowdstrike reported a sharp increase in RMM tool abuse as an attack vector. An example of threat groups exploiting RMM for first-stage use cases is TA583, a highly active unit that runs multiple campaigns a day, most of them using RMM.
ExtraHop’s RevealX can automatically identify RMM tools, detect RMM tool abuse, and track all the devices accessed by the suspicious RMM user. RevealX also provides packet forensics that look at the files transferred over the network, and carve out the actual file from packets transferred over the wire - allowing the SOC to quickly identify and stop malware before it spreads.
Microsoft authentication protocols such as MSRPC, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.
When our organization was hit by DarkSide ransomware, ExtraHop RevealX(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.