Smash and Grab

Smash and Grab

Signs of Smash and Grab

  • A host transmits unusually large volumes of data to destinations which are not considered normal for this network
  • The threat score is driven by the number of IPs the destination domain maps to and if this host is on a public IP also takes into account whether the destination is in another country
  • The certainty score is driven by the rate of data being exfiltrated

Possible root causes of Smash and Grab

  • An attacker is rapidly exfiltrating large volumes of data from your network
  • The host is sending large volumes of data to destinations that have not been previously usedfor large data transfers

Business Impact of a Smash and Grab

  • The detection signals possible exfiltration of company data
  • The host from which the data was sent, the destination to which the data was sent and the volume of data transmitted may provide some clues to what data was transmitted
  • If the external service to which data was uploaded is not an IT-sanctioned service, the potential business risk is high

How to Investigate Smash and Grabs

  1. Check to see if the destination IP or domain to which data was moved is an entity you trust for your network
  2. Ask the user of the host whether they have any knowledge of the data transfer
  3. If the data transfer is unexplained and your endpoint security solution logs such things, determine what software on the host was responsible for the data transfer

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections