Vectra AI Detections

Vectra AI Detections Across the Kill Chain

Vectra AI employs advanced threat detection mechanisms to detect and neutralize cyber threats throughout the stages of the attack chain.

After an initial exploit, the malware will contact its Command & Control server from which it will be remotely controlled in an automated fashion or by a human.

The attack usually progresses along the opportunistic path – the malware joins the host to a botnet and the bot herder steals information from the infected host and makes use of your resources to make money by attacking other systems across the Internet (Botnet Activity).

The attack may also have you as its intended target, something that is rarer, but also more threatening – in this case, the infected host will orient itself in your network (Reconnaissance), spread laterally to get closer to your crown jewels (Lateral Movement) and steal your data and send it to an outside system (Exfiltration).

List of Vectra AI Detections

Detections of Reconnaissance Activities

  • A host or account is mapping out the inside of your network or cloud environment
  • The activity may indicate that this is a targeted attack
  • Detection types cover fast scans and slow scans – your vulnerability scanner will show up here as it performs much the same activity as an attacker

Detections of Lateral Movement

  • Covers scenarios of lateral action meant to further a targeted attack
  • This can involve attempts to steal account credentials or to steal data from another resource
  • It can also involve compromising another host or account to make the attacker’s foothold more durable or to get closer to target data

Detections of C2 Activities

  • A host or account appears to be under control of an external entity
  • Most often, the control is automated as the host or account is part of a botnet or has adware or spyware installed
  • The host or account may be manually controlled from the outside – this is the most threatening case and makes it highly likely that this is a targeted attack

Detections of Exfiltration Activities

  • Covers scenarios where data is being sent outside or collected in a way meant to hide the data transfer
  • While data is constantly being sent out of the network or cloud environment, it usually does not involve the use of techniques meant to hide the transfer
  • The host or account transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it all provide indicators of exfiltration

Detections of Botnet Activities

  • A host is making money for its bot herder
  • The ways in which an infected host can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks
  • The bot herder is utilizing the host computer, its network connection and, most of all, the unsullied reputation of the assigned IP to turn a profit

Detections by Attack Surface

Detections in the Network

Detections in Azure AD & M365

Detections in AWS