Automated Replication

Automated Replication

Signs of Automated Replication

  • An internal host is sending very similar payloads to several internal targets
  • This may be the result of an infected host sending one or more exploits to other hosts in an attempt to infect them
  • The certainty score is driven by the number of targeted hosts and the detection of an upstream propagator
  • The threat score is driven by the number of targeted hosts and number of different exploits, particularly exploits on different ports

Why Attackers Use Automated Replication

  • An infected host which is part of a botnet is trying to expand the botnet’s footprint by infecting additional hosts
  • An infected host which is taking part in a targeted attack is trying to spread laterally in an effort to get closer to data it wants to exfiltrate
  • An agent on the host is utilizing unusual techniques to discover an available service

Business Impact of Automated Replication

  • Internal spreading of botnet-related malware often is repeated by the next infected host, thus mimicking a computer worm and rapidly infecting all possible hosts
  • A wide scale spread of botnet-related malware will incur significant remediation costs
  • Lateral spread which is part of a targeted attack makes the attack more resilient and gets it closer to your crown jewels

How to Investigate Automated Replication

  1. Look at the protocol and port listed in the detection to determine what network service is being exploited
  2. Determine if there’s any reason for this host to be communicating these services on the listed targets
  3. Try to ascertain what software on this host would emit the traffic being seen
  4. Examine the packet capture file to see if this appears to be a network discovery attempt

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections