External Remote Access

External Remote Access

Signs of External Remote Access

  • An internal host has been observed either generating DNS activity or making direct connections associated with malicious external IPs or Domains identified by Vectra Threat Intelligence.
  • The threat score is driven by the quantity of data received on the flagged connection
  • The certainty score is related to Vectra’s confidence in active use of the indicator and ranges from low (30) to medium (60) and high (90)

Why attackers use External Remote Access

  • A host is communicating with a confirmed malicious IP or Domain that may be associated with staged malware, command and control, or client-side attacks.
  • A user has been redirected to a site associated with phishing or credential compromise.
  • A host is communicating with a benign service co-hosted on an IP or Domain with a poor or malicious reputation.

The Business Impact of External Remote Access

  • Compromised assets or user credentials provide adversaries with the internal foothold necessary to begin to stage an attack.
  • The identification of internal connections to known bad IP addresses or domains demonstrates positive risk to organizational assets and users and may indicate active attack progression.

How to Investigate Signs of External Remote Access

  1. Look at the detection details and the PCAP to determine whether this may be traffic from chat software
  2. Check if a user has knowingly installed remote access software and decide whether the resulting risk is acceptable
  3. Scan the computer for known malware and potentially reimage it, noting that some remote access toolkits leave no trace on disk and reside entirely in memory

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections