Suspicious Relay

Suspicious Relay

Signs of a Suspicious Relay

  • This host appears to be acting as a relay for communication between an external system to another internal host—relays of this type involve a first (external) leg and a second (internal) leg
  • This host also has another active command and control detection
  • The threat score is driven by how close the durations of the connections involved in relay activity are on the two legs of the relay
  • The certainty score is driven by how close the ratio of sent to received bytes are in the two legs of the relay

Why Attackers Use Relays

  • A host is compromised and is being used to relay information to and from a host deeper inside the network
  • An internal host is hosting some form of approved proxy (e.g. SOCKS) to allow other internal hosts to communicate with the Internet through it

Business Impact of a Suspicious Relay

  • An infected host which is enabling another internal host to hide its communication with the Internet by acting as a relay represents a high risk as this may allow a host which normally is not allowed to communicate with the outside to do so
  • For hosts that have approved proxy software installed, ensure all the necessary security controls are in place to prevent unauthorized use

How to Investigate Suspicious Relays

  1. Determine whether this host should be providing relay services to other internal hosts; if not, this is likely malicious behavior
  2. Look at the outside destination of the traffic and the payload of traffic, available in the PCAP, to determine what it being sent and where it is going; this will help further calibrate the risk
White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections