Threat Detection

Today’s hybrid attackers expose security gaps, compromise identities and use a variety of tactics to hide and progress inside enterprise environments.

On May 23rd, 2023, Barracuda announced a vulnerability (CVE-2023-2868) in their Email Security Gateway appliance that was being exploited in the wild as far back as October of 2022.

Unrivaled signal clarity and rapid response can help you protect your complex IT environment.

Is decrypting packet payloads operationally effective or efficient at helping defenders find signs of advanced nation state attacks or manually executed attacks like RansomOps in a network?

This new open-source tool bridges common gaps SOC teams face in cloud threat detection. Gain more flexibility to develop custom attack techniques.

As threats become more prominent, it’s important to pose the question: what actually brings clarity? It’s a question that we can struggle with, but we may simply not be approaching it in the right way.

Attacker techniques are dictated by the characteristics of the tech stack. So what is the approach needed to defend cloud systems?

Discover how Vectra AI, through user feedback, has improved its scoring model and user interface to provide more effective threat prioritization and an efficient workflow.

When an analyst detects an intrusion, the most critical factor is analyzing the context of the intrusion. We do this by identifying the attacker’s tactics, techniques, and procedures (TTPs).

Gain complete clarity on known and unknown threats across your network by combining Vectra Match signature context and the power of Vectra NDR with Security AI-driven Attack Signal Intelligence™.

When a physical threat presents itself, most people will implement protection mechanisms. When warned of an impending hurricane, people will naturally board up their property and take cover. This behavior is conditioned, but why doesn't that conditioning extend to enterprise security programs?

In this blog, we'll examine known threats aimed at hybrid cloud environments and where you might be able to catch them before they become an issue.

Cyber threat actors come in a variety of forms. Though they result in unwanted damage, their tactics, goals, and methods of attack differ. Avoiding being a victim begins with understanding the types of cybercriminals, their behaviors, goals, and motivations.

Last week I attended the Gartner Security and Risk Summit in London. The theme of the summit was Accelerating the Evolution of Security: Reframe and Simplify. From the very first keynote, Gartner laid down the gauntlet. "Change is needed and we must stop doing what we have always done and start learning from our mistakes." It is this very sentiment that set the tone for the show.

Native integration delivers Vectra's patented Security AI to CrowdStrike XDR, so joint customers can find attacker behaviors across public cloud, SaaS, identity, and networks from a single interface.

What value is there in detecting malicious actors if the detection isn't noticed? Vectra makes sure that your security operations see everything, and our updated Splunk Integration is the latest offering to help you do this.

An influential industry analyst now declares NDR has reached the Hype Cycle's "Slope of Enlightenment." Vectra had confidence all along

What If there was a Supply Chain Compromise of an IDP? The recent security incident at Okta represents yet another perspective on supply chain compromises. This blog provides perspective on the current situation and mitigation and defense strategies to manage such an event.

Vectra customers should be aware that current global events related to Russian recognition of separatist regions of the Ukraine carry with them the risk of increased cyber activity conducted by Russian state level actors. This includes evidence that the FSB, the main Intelligence Organization in Russia, is responsible for the DDoS against Ukrainian systems in February 2022.

New Vectra CRO wants to achieve aggressive growth and continued global expansion for Vectra's leading network detection and response platform.

As we saw with the Log4J vulnerability, cybercriminals only need a single opening to infiltrate your environment. And while another vulnerability can't be prevented, there's still a lot that can be done to make sure you're ready for the next one.

A threat-led approach is key to an organisation's security strategy. CISOs should measure security based on their ability to discover if they've been breached, mean time to breach when testing security, or the mean time to detect unknown threats.

Every year the world of cybersecurity encounters new challenges and obstacles for organisations to overcome, but 2021 managed to be an exceptionally dangerous year. So how will the lessons learnt from 2021 shape the cybersecurity landscape? Here are four areas of cybersecurity that will evolve in 2022.

Threat actors can use the Log4J vulnerability as a platform for launching attacks, but what does this mean for cloud environments? Find out exactly how attackers are exploiting this vulnerability and what this could mean for your organization.

Agile has its uses. It's increasingly being adopted as a technology wide operating model-to drive transformation everywhere, from helpdesks to datacenters. But is it always appropriate?

A few days after the Log4Shell vulnerability was discovered, we now have more observations about how the exploit is being leveraged. Here's what we know, today.

A new 0day was discovered in the log4j application on December 10, 2021. This vulnerability impacts a widely used logging solution spanning an incredibly large attack surface.

Exclusive cybersecurity research presented in a new report, details how hundreds of security leaders are addressing today's complex cyberthreats in their organisations.

AI can save your SOC valuable time by automating workloads, while accurately tracking down cyberattacker activities found in ransomware and supply chain attacks.

Organizations continue to deploy rapidly in the cloud, while security is often an afterthought. Read about the five areas that could be exposing your AWS deployments to security threats.

As organizations continue to build on AWS with no sign of slowing down, it's important to know where the security blind spots are and how to address them.

The State of Security Report: PaaS and IaaS takes a close look at how organizations are addressing security in AWS and the challenges they face.

Attackers intent on stealing personally identifiable information (PII) and protected health information (PHI) can easily exploit gaps in IT security policies and procedures to disrupt critical healthcare-delivery processes.

A new remote code execution vulnerability in Windows Print Spooler, now known as CVE-2021-1675, or PrintNightmare can be exploited by attackers to take control of affected systems. Find out how to detect and stop this exploit with Vectra.

The rapid shift to cloud-everything left users and apps vulnerable to security threats across all environments. Andras Cser from Forrester joined Joe Malenfant and Gokul Rajagopalan from Vectra to discuss cloud trends among organizations.

Vectra introduces Detect for AWS, solving threat detection and response for Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) environments.

What makes threat detection so challenging? We answer that question and provide the expert insight around our latest Spotlight Report-Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.

As cloud adoption continues to accelerate, the evolution of the next generation of modern attacks will traverse through and towards an enterprise's cloud control plane. Learn why this risk should not be underestimated.

Supply chain attacks represent an appealing opportunity for attackers. See why this type of attack is gaining in popularity and what defenders need to know to keep their organization safe.

In our latest Spotlight Report, see how the Top 10 Threat Detections seen across Microsoft Azure AD and Office 365 allow security teams to detect infrequent behavior that is abnormal or unsafe across their environments.

The Vectra Cognito Azure AD Privilege Anomaly Detection is a radical step forward when detecting account takeover events targeting Azure AD to gain access to mission-critical SaaS applications. With it, teams are alerted, and attacks can be stopped before they cause harm.

Network and endpoint defense technologies will have to either rapidly update signatures or use other investigative ways to detect command and control (C2). Uncover how threat actors evade security tools to execute C2 techniques to learn about what you should look for.

We're excited to announce extended EDR native integration support in the Cognito platform! Find out how you can benefit from these simple, seamless integrations for comprehensive coverage across the enterprise, IoT devices, hybrid cloud, and cloud environments.

Announcing extended coverage of Vectra in your entire AWS cloud footprint using the new AWS traffic mirroring capabilities on EC2 instances based on the popular Xen platform.

Vectra announces extended support for Azure AD in Cognito Detect for Office 365. Find out how this increased coverage can secure users' cloud identities and reduce consequences of supply chain attacks.

As witnessed by the SolarWinds attack, compromising a single Azure AD account gives an attacker access to multiple SaaS apps, including Microsoft Office 365. This single point has made it critical for organizations to be able to detect and respond to attacks from Azure AD.

The pandemic has made threat actors eager to exploit information about COVID-19. Find out how an ordinary LinkedIn message set off a chain reaction that escalated into a widespread, sophisticated attack at one of the world's leading pharmaceutical companies.

Learn how Command and Control (C2) frameworks are continuing to evolve in order to evade detection. Here we will examine a method known as JA3 signature randomization.

Learn from Vectra CRO, Marc Gemassmer, what makes the SolarWinds hack unique from other breaches and how network detection and response can help remediate similar attacks in the future.

The number of threats targeted towards Office 365 users and other similar platforms will undoubtedly continue to grow in 2021. Learn from our CTO, Oliver Tavakoli, what your company can do to prepare for the rise of targeted SaaS threats in 2021.

Discover how the new security insights feature in the Vectra Cognito network detection and response platform eliminates the need for analysts to pivot between tools and provides additional insights related to attacker detections.

Discover new learnings from the FireEye breach, including the objectives of the stolen tools, how those tools would present on the network, and how behavior-based detection can identify their use in an attack.

Most solutions today provide siloed views of an account, making it impossible to track attack progression across the cloud and network-except ours. We're excited to release a unified view of an account, one that tracks attacker behaviors across network and cloud.

With more than 200 million monthly subscribers, Office 365 is a rich target for cybercriminals. Learn why MFA no longer stops attackers in this new cybersecurity landscape but network detection and response can.

Vectra research highlights how attackers are using built-in tools and services to attack Office 365. We examine two such attacks that were detected and thwarted by organizations protected by Cognito Detect for Office 365.

When you factor in how long it takes to discover a data breach, it suggests that healthcare is losing the battle. Discover a fundamental approach being advocated by a growing number of healthcare security professionals.

Attackers areusing legitimate toolsbuiltintoMicrosoft Office 365toperform reconnaissance, move laterally,and extend their attacks. OurSpotlightReport on Office 365 identifies whatthey're up to and where you should be looking.

Read the Office 365 Spotlight Report to learn about the primary cybersecurity threats that can lead to Office 365 takeovers and breaches.

Asset management is one of the toughest challenges IT organizations can face. Discover why the ability to detect threats early on the network is better than ranking your critical systems.

The recent ZeroLogon (CVE-2020-1472) vulnerability allows an attacker to gain Domain Admin credentials. The Vectra AI/ML models are designed to detect attacks regardless of tools or signatures and alerted on ZeroLogon even before it was announced.

Learn why the SOCvisibility triad is a better way to gain full visibility into threats and why Vectra is critical to help provide that visibility.

The problem of detecting an insider threatbeforeit happens is difficult to solve as the prediction of human behavior itself. Discover how applying a data science approach to detection can reveal clues to catch know and unknown attackers across your enterprise.

Discover in this blog why many organizations are struggling with the burden of maintaining IDPS deployments and how security teams can instead concentrate on detecting and mitigating active threats inside the network with network detection and response.

Learn how IDPS is ill-equipped to detect what is known as lateral movement, east-west traffic, or simply attackers moving around inside your deployments due to reliance on signatures and being deployed at the network perimeter.

Consider getting rid of IDPS and the noise it creates and check out detecting and stopping cyberattacks using NDR. Free-up your security analysts to focus on investigations and threat-hunting instead of tweaking signatures.

Discover step-by-step how Vectra AI identified early indicators of the Maze ransomware attack and prevented the encryption of the company files.

Battista Cagnoni examines how you can mature your Security Operations Center (SOC) using processes for reactive threat detection and proactive threat hunting.

Learn why Microsoft Power Automate is great for Office 365 users, but why it's terrifying for security professionals.

OAuth has become a critical standard for access delegation in apps. However, the increasing incidents involving malicious OAuth apps, particularly in platforms like Office 365, underscore a significant vulnerability. This vulnerability persists even with multi-factor authentication (MFA) measures in place.

Attack tools and techniques can change over time, but attack behaviours remain a stable indicator of attackers within the network. Using attack behaviour as a high-fidelity signal allows you to take action quickly to stop attacks or prevent further damage.

In the era of near-total data, SOC teams and analysts can become swamped by the sheer volume. And that's before we even get to the cost of data ingestion and storage! In this blog, we will explore the value of network metadata, and why we just can't get this level of visibility elsewhere.

With increasingly sophisticated threats,cyber-risk is becoming an escalating concern for organizations around the world. Data breaches through Office 365 lead the pack as 40% of organizations suffer from account takeovers despite the rising adoption of incremental security approaches like multi-factor authentication.

Vectra now integrates with Amazon Virtual Private Cloud (VPC) Ingress Routing and that our AI platform is currently available in the AWS Marketplace.

In infosec, the concept of "zero trust" has grown significantly in the last couple of years and has become a hot topic. A zero-trust architecture fundamentally distrusts all entities in a network and does not allow any access to resources until an entity has been authenticated and authorized to use that specific resource, i.e. trusted.

Since the early days of Vectra, we've been focused primarily on host devices. After all, hosts are the entities that generate the network traffic the Cognito platform analyses in looking for attacker behaviors.

In a previous blog, we spoke about the importance of security enrichments in your network metadata. These serve as the foundation for threat hunters and analysts to test and query against hypotheses during an investigative process.

Vectra customers and security researchers respond to some of the world's most consequential threats. And they tell us there's a consistent set of questions they must answer when investigating any given attack scenario. Starting with an alert from Cognito Detect, another security tool, or their intuition, analysts will form a hypothesis as to what is occurring.

The collection and storage of network metadata strikes a balance that is just right for data lakes and SIEMs. Metadata enables security operations teams to craft queries that interrogate the data and lead to deeper investigations.

When considering how to equip your security teams to identify lateral movement behaviors, we encourage the evaluation of the efficacy of your processes and tools to identify and quickly respond to the top 5 lateral movement behaviors that we commonly observe.

Imagine having a security tool that thinks the way you teach it to think, that takes action when and how you have trained it to act. No more adapting your work habits to generic rules written by a third party and wondering how to fill in security gaps that the rules did not tell you about.

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms! Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let's dig into what hidden tunnels are and how I find them to uncover the answer.

In my last blog, I spoke about a financial customer performing pen testing and how I helped the blue team detect the red team as it carried-out an attack. I'm back again today with another story from the trenches.

Vectra® was recently positioned as the sole Visionary in the Gartner 2018 Magic Quadrant for Intrusion Detection and Prevention Systems (IDPS). Over the years, intrusion detection systems (IDS) have converged with intrusion prevention systems (IPS) and the two are now known collectively as IDPS.

The security industry is rampant with vendors peddling anomaly detection as the cure all for cyberattacks. This is grossly misleading. The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad-without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

The need to block threats within milliseconds locks IDS/IPS into using signatures for detections. While signatures can detect a wide variety of threats, they rely on the fast-pattern-matching of known threats.

Recently, it came to our attention that HP DVLabs has uncovered at least tenvulnerabilitiesin the Belkin N300 Dual-Band Wi-Fi Range Extender (F9K1111). As this is the first update issued for the F9K1111 and there were not any public triggers for the vulnerabilities, we thought it would be interesting to take a deeper look.

Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it's definitely worth a read.

Updated June 3, 2015 11:00 AM(see details)Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor for threats at every corner of the network in a way that organizations can afford without sacrificing coverage.

On June 6th, Forbes reporter Kashmir Hill wrote about an NSF researcher who misused NSF-funded supercomputing resources to mine Bitcoin valued between $8,000 and $10,000. The article points to a student at London Imperial College and a researcher at Harvard University who are also alleged to have used their University's computers to mine a similar virtual currency called Dogecoin.