Nation-State Cyberattack Example

Vectra AI vs. hybrid cloud attack

WAF, MFA, EDR, VPN, SAML — nation-state actors are skilled at evading them all. But in one pentest with Vectra AI, security analysts stopped a live attack before any damage could be done.

Active Hybrid-Cloud Attack

Simulated Incident: One SOC analyst and Vectra stopped a hybrid cloud compromise just before a hacker was able to access high value cloud data

The target: FictoTech

Leading R&D company
High-value intellectual property (IP)
Hybrid cloud

The attacker: ThunderJaw

State-sponsored hacker group
Focused on cyber espionage and IP theft
Targets private organizations

Response time

First Vectra alert

5:02a.m.

Attack stopped

5:22a.m.

Attack Signal Intelligence™

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Attack Stopped

MITRE ATT&CK Techniques:
• Command and Control / ID: TA0011
• Account Discovery / ID: T1087.001
• Credential Access / ID: TA0006
• Account Manipulation / ID: T1098
• Valid Accounts / ID: T1078
• Email Hiding Rules / ID: T1564.008

Zero-day exploit to marketing server through WAF/proxy. Exploitable due to proprietary software.

Attack Signal Intelligence™

AI-Prioritization

C2 deployed.

No EDR due to proprietary software running.

Vectra detects

HTTPS Hidden Tunnel

Local and network discovery finds admin account and path to other parts of the environment

Vectra detects

HTTPS Tunnel, Port Scan, Port Sweep, Suspicious LDAP, RPC Recon

Remote exec from marketing server to nexus server

Vectra detects

Suspicious Remote Exec

Attacker accesses ADFS server from nexus server and adds malware for MFA bypass of admin account. Malware evades EDR.

Vectra detects

Suspicious Remote Exec

Collects cloud architecture diagram from CIFS server providing path to cloud

Vectra detects

Privilege Anomaly: Unusual Account on Host

Access Azure AD with admin account over VPN, creates email rule to hide IT emails, and creates new admin account as a fallback.

Vectra detects

AAD Susp. Sign-on

M365 Susp. Email Rule,

AAD Risky OAuth Application

Attacker uses SAML access to connect to AWS

Vectra detects

AWS sign-in

Attacker starts discovering capabilities of the account in AWS

Vectra detects

AWS Organization Discovery, AWS User Permission Enumeration

Attack stopped

Response time

First Vectra alert

5:02a.m

Attack stopped

5:22a.m

MITRE ATT&CK Techniques:

Command and Control / ID: TA0011
Account Discovery / ID: T1087.001
Credential Access / ID: TA0006
Account Manipulation / ID: T1098
Valid Accounts / ID: T1078
Email Hiding Rules / ID: T1564.008

Gain an unfair advantage over hybrid cloud attackers

The secret to stopping hybrid cloud attacks fast? Attack Signal Intelligence™. It's the world's most advanced cybersecurity intelligence — and it powers the only AI-driven threat detection and response platform purpose-built to move at the speed of hybrid cloud attacks.

12

Mitre D3FEND references

35

AI threat detection patents

90%

MITRE ATT&CK coverage

Become a master threat hunter

Cloud attacks are relentless — let's make sure you spot and stop them. Join a Blue Team Workshop to sharpen your hunting skills in a simulated enterprise environment.

Secure your spot

With Vectra AI, attackers don't stand a chance

Intellectual property. High-value data. Hybrid cloud infrastructure. It all adds up to a lot of vulnerabilities — and makes FictoTech a prime target for nation-state cyberattacks. But with Attack Signal Intelligence from Vectra AI, the company’s analysts easily keep data breaches at bay.

Zero-day exploit exposed

Prevention security not in play

Actors seeking admin access

Prioritizing Tactics

This simulated attack was initiated through a zero-day exploit in an on-premises server.

Attackers progressed toward the cloud, conducting recon along the way.

They located admin accounts, evaded MFA, gained access to Azure AD and AWS and claimed possession of privileged credentials.

With an accurate timestamp and clear threat detections, the analyst caught up to the attacker in real-time.

The infected account was instantly disabled and the host locked down.

Keep cloud attacks from becoming breaches

Attackers keep EDR out of play

In this pentest, the initial exploit posed a critical detection challenge. Why? Because IT wasn’t in control of the server. This kept EDR out of play — drivers installed in the proprietary software would’ve interfered with the agent. There were no EDR alerts when attackers bypassed MFA or compromised accounts. Only Attack Signal Intelligence from Vectra AI provided the detections needed.

Download the overview

Identity and Cloud cyberattacks are the new normal

45%

of all data breaches in 2022 were cloud based.¹

50%

of data breaches involve stolen credentials.²

Source 1: IBM – Cost of a Data Breach 2022 report

Source 2: Verizon – Data Breach Investigations report 2022

Explore more cyberattack resources

See how Vectra AI helps you move at the speed of attackers.

Solution brief

Securing Hybrid Cloud

Learn how to keep attackers from bypassing prevention controls and compromising credentials.

video

Stop Cloud Attacks Fast

Discover how you can move at the speed of attackers with Vectra AI’s Attack Signal Intelligence.

Solution brief

Stop Multi-Cloud Threats

See how Vectra AI can double your productivity and boost SOC efficiency by 85%.