Signs of External Remote Access
- An internal host has been observed either generating DNS activity or making direct connections associated with malicious external IPs or Domains identified by Vectra Threat Intelligence.
- The threat score is driven by the quantity of data received on the flagged connection
- The certainty score is related to Vectra’s confidence in active use of the indicator and ranges from low (30) to medium (60) and high (90)
Why attackers use External Remote Access
- A host is communicating with a confirmed malicious IP or Domain that may be associated with staged malware, command and control, or client-side attacks.
- A user has been redirected to a site associated with phishing or credential compromise.
- A host is communicating with a benign service co-hosted on an IP or Domain with a poor or malicious reputation.
The Business Impact of External Remote Access
- Compromised assets or user credentials provide adversaries with the internal foothold necessary to begin to stage an attack.
- The identification of internal connections to known bad IP addresses or domains demonstrates positive risk to organizational assets and users and may indicate active attack progression.
How to Investigate Signs of External Remote Access
- Look at the detection details and the PCAP to determine whether this may be traffic from chat software
- Check if a user has knowingly installed remote access software and decide whether the resulting risk is acceptable
- Scan the computer for known malware and potentially reimage it, noting that some remote access toolkits leave no trace on disk and reside entirely in memory
