Attack tools and techniques can change over time, but attack behaviours remain a stable indicator of attackers within the network. Using attack behaviour as a high-fidelity signal allows you to take action quickly to stop attacks or prevent further damage.
Using network metadata, you can create detections that target specific attack tools, exploits, or techniques. These detections can be used to give an early indication of low-level attacker activity or be used to label the tools and exploits used by attackers for behavioural detections.
Vectra delivers best-in-class AI and ML models for exposing attackers within your network by focusing on these stable attacker behaviours. We also provide Zeek-formatted network metadata you can consume either with our Vectra Recall product, or direct to your security information event management (SIEM) with our Vectra Stream offering. You can use our network metadata to supplement built-in AI and ML-based behavioural detections to discover attacker tools and exploits.
The building blocks of finding attacker tools and exploits
Combining Vectra network metadata and a variety of techniques can help identify attacker tools and exploits within your network. These techniques can be used separately or together to create either generalized matching against classes of tools or exploits, or very specialized matches against specific tools or exploits.
Some of the basic network metadata building blocks for finding attacker tools and exploits are:
- DNS domains
Is the DNS domain a known bad domain? WannaCry, for example, used DNS domains as a kill switch, but others use DNS for C2 and for data exfiltration.
- Certificate issuer
Is the certificate issuer the expected and trusted root? Cheap or free certificate issuers are frequently used with domain squatting to intercept traffic via man-in-the-middle attacks (MITM) to steal credentials.
- Source and destination IPs
Is the source or destination subnet known to be bad or suspicious? IP addresses can be used to identify unusual or suspicious traffic within your network.
- User agents
Are the user agents expected within this network or subnet? User agents are used to describe the browser or framework used and can signal unusual or suspicious usage.
- JA3/JA3S hashes
Is the client or server a known bad actor? JA3 fingerprints the clients (JA3) and servers (JA3S) by looking at a wide variety of information disclosed during the TLS handshake. (Check out this blog for more ways to use JA3/JA3S hashes in threat investigations and hunting.)
Curated searches with Vectra Recall
Building good searches can be hard, even when you have the best tools and building blocks at your disposal! Some searches will be too broad and noisy, whereas others might miss a real threat because of a slightly narrowed scope in the search.
But Vectra’s got your back! Our security research and data science team continuously invests in new searches that target specific exploits, tools and frameworks. These searches are published to our Recall platform and give you a head-start in finding and labelling low-level attack behaviour in your network.
In the recent past, we have created and published high-quality Recall searches for the following threats and vulnerabilities:
- Citrix ADC vulnerability (CVE-2019-19781)
- Curveball vulnerability in Microsoft cryptographic libraries (CVE-2020-0601)
- Pupy Remote Access Trojan, observed to be used by well-known APTs
- Fox Kitten Campaign, used by APTs targeting VPN vulnerabilities
These new additions complement our extensive library of existing searches that can help find and label threats using the following exploits and tools:
- Cobalt Strike
- Kali Linux
- And many more known bad Tactics, Techniques & Procedures (TTPs)
Automating searches with Vectra Recall Custom Models
High-quality searches are valuable for investigations, but they can be time-consuming to create and test. Let Vectra do the hard work. With Recall Custom Models, we can automate these searches for detections in near real-time. Simply enable “Custom Model” detections for a Vectra Recall search to automatically match and alert when matches are found.
Enabling Custom Models for an attack tool, exploit or TTP enables you to quickly and easily track low-level attack behaviour within your network before it becomes a full-blown attack. Labelling such activity also enables faster and more effective response by identifying the attacker playbooks.