Detecting ZeroLogon with Zero Signatures

Detecting ZeroLogon with Zero Signatures

Detecting ZeroLogon with Zero Signatures

By:
投稿者:
Stephen Malone
September 22, 2020

Fast moving critical vulnerabilities or zero-days expose the weaknesses of legacy cybersecurity products that rely on signatures to match threats. Signatures are useful for providing continued protection against known and historic threats, but can't do much for new threats until the vulnerability is found by security researchers and a new signature is created. Exploitable vulnerabilities can exist for years before they are found by security research, leaving you exposed and vulnerable. For a vulnerability such as ZeroLogon, given the power and speed of the exploit, any delay in protection could see the end of your business.

Vectra however has a fundamentally different approach to cybersecurity. Vectra's sophisticated attacker behavior AI/ML models are designed to detect attack behavior regardless of the specific tools or signatures used in the attack. As such, Cognito Detect customers have substantial detection capabilities for attack campaigns that might leverage this new vulnerability — even before the vulnerability was announced.

It has been a busy time for these legacy cybersecurity products as they scramble to create signatures, and give their customers some level of protection against this exploit. Those new signatures will help of course, but for some they will come too late, and it's only a matter of time before the exploits change slightly to circumvent these protections. In the recent days we have seen many of our competitors (ExtraHop, CoreLight & Awake for example) scrambling to release new ZeroLogon signatures after the vulnerability disclosure. What about before that? Was there any coverage? Are we to believe that vulnerabilities are only exploitable when disclosed by security research?

Vectra Detect AI/ML behavioral models had you covered even before the vulnerability was disclosed

To successfully use this exploit, the attacker needs to be on the local network. For external attackers, Cognito Detect would see C&C from the compromised host in the form of External Remote Access, Hidden HTTP/HTTPS/DNS Tunnel, or Suspicious Relay. After exploiting the vulnerability (whether an external or internal attacker) we would likely see DCSync which is covered by RPC Targeted Recon. Once the attacker gained admin access, our sophisticated PAA detections cover the usage of this new access. Other models like Suspicious Admin, Suspicious Remote Execution, and Suspicious Remote Desktop also provide coverage on lateral movement. RDP Recon and RPC Recon could be expected as external attackers find their way around the network.

Cognito Detect protects against your business from emerging, zero-day and fast-moving threats by focusing on the things that don't change, i.e. attacker behavior, rather than signatures that are reactive and easily bypassed.

Gaining additional visibility with Vectra Recall or Stream

Cognito Detect's focus on finding attack behavior is a truly durable mechanism to find attackers. Vectra Cognito Recall or Cognito Stream supplement our advanced detection capabilities enabling deeper investigations & threat hunting. For the ZeroLogon vulnerability, we have published a new Recall dashboard (NetLogon Exploit Dashboard) to give you more visibility into attempts to leverage this vulnerability within your network.

Sample Dashboard in Cognito Recall tracking potential cases of ZeroLogon

About ZeroLogon

A maximum severity CVE (ZeroLogon - CVE-2020-1472 - CVSS 10) was recently reported which enables an attacker to gain the master key to your network, Domain Admin credentials, incredibly quickly and easily without requiring any kind of privilege beyond the ability to emit traffic to your network. This vulnerability is caused by a fault in how Windows Server OS handles the NetLogon RPC protocol which enables the attacker to forge their identity in a password reset event and reset any password including those of Domain Controller machine accounts.

Microsoft has since patched vulnerable versions of Windows Server; everyone is encouraged to apply these patches as soon as possible. Further information on the vulnerability can be found here and information from Microsoft on impacted versions and patch information can be found here.

If you’re ready to change your approach to detecting and responding to cyberattacks, and to get a closer look at how Cognito Recall can find attacker tools and exploits, schedule a demo with Vectra today.

About the author

Stephen Malone

Stephen is a Senior Product Manager at Vectra AI where he is the product manager lead for the Vectra Recall product. He has nearly 20 years experience in service creation and delivery. His career has taken him from software engineer to product management as he looks for yet bigger problems to solve. He is deeply versed in cloud, networking and security from over 7 years as a program manager in Azure, where he owned two core services. He holds an M. Sc. in Software Development from the Institute of Technology, Tralee, Ireland.

Author profile and blog posts

Most recent blog posts from the same author

Threat detection

Detecting ZeroLogon with Zero Signatures

September 22, 2020
Read blog post
Threat detection

Vectra AI社のネットワークメタデータを活用した攻撃者とエクスプロイトの検知

March 26, 2020
Read blog post
Cybersecurity

ネットワークメタデータの概要と、それが必要な理由とは?

May 25, 2020
Read blog post