ExtraHop has expanded its decryption support for Microsoft authentication and application protocols. It will enable customers to detect when malicious actors are abusing network protocols. That abuse can range from attacks on infrastructure to exfiltrating data from an organisation.
ExtraHop claims: “This first-and-only decryption capability detects a new class of advanced attacks, including ‘living-off-the-land’ and Active Directory Kerberos Golden Ticket attacks, that exploit proprietary Microsoft protocols to evade security controls and traditional monitoring tools like next-generation firewalls (NGFW) and web proxies. Advanced decryption also detects high risk CVE exploitation such as PrintNightmare, ZeroLogon, and ProxyLogon, and provides proactive defense against future zero-day exploits.”
Both of these attacks are on the rise and have proven difficult to detect and prevent. Living-off-the-land has proven to be especially effective for attackers as they use Microsoft tools to further their attack.
Sri Sundaralingam, VP, Security and Cloud Solutions at ExtraHop, said: “Organizations are blind to encrypted malicious activity happening laterally within the east-west corridor
“Even technologies like firewalls and encrypted traffic analysis that claim to provide visibility fail to detect attacks that use encrypted communications to exploit vulnerabilities commonly seen in advanced threat campaigns. ExtraHop Reveal(x) 360 can identify—with fidelity—exploitation and protocol abuse associated with major CVEs, both today and in the future.”
ExtraHop seeking to fix failings in traditional detection techniques
In an updated blog, Jesse Munos, technical marketing manager at ExtraHop, deals with the problem of detecting attacks. In the blog, Munos points out that most detection techniques were designed to work on clear text. Once that text is encrypted, those techniques fail.
Additionally, Munos points out that gateway devices are designed to detect traffic moving through them. For attacks like living-off-the-land that rely on lateral movement, those devices are blind.
Even encrypted traffic analytics ETA fails to avoid Munos’ callout. “While ETA has been around for years as the primary method to detect malicious-looking encrypted traffic, it is false-negative prone and fails to detect many attacks that do not produce a statistically relevant quantity of data or leverage protocols that are common within Active Directory environments such as the use of SMBv3 in PrintNightmare.
“In addition, the focus on statistical analysis creates a dearth of rich, contextual data while also leaving security personnel blind to the content of traffic. The result is a lengthy and error-prone data forensics, investigation, and response process.”
Enter ExtraHop Reveal(x) 360
The solution that ExtraHop has come up with is called ExtraHop Reveal(x) 360. It claims it will detect: “sophisticated emerging attack techniques with line-rate decryption of the most commonly abused Microsoft protocols such as SMBv3, Active Directory Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP, WINRM, in addition to TLS 1.3.”
In the press release, ExtraHop says Reveal(x) 360 customers can:
- Prevent unauthorized access and privilege escalation attempts via Microsoft Active Directory infrastructure.
- Monitor for ‘living-off-the-land’ tactics used during east-west lateral movements to expose hidden threats.
- Defend against high risk vulnerabilities like PrintNightmare and Microsoft Active Directory being exploited in advanced threat campaigns to carry out disruptive attacks.
ExtraHop also says that Reveal(x) 360 has been designed for continuous packet capture and full-stream reassembly. It is targeting visibility into encrypted traffic at speeds of up to 100Gbps. This is important. Most solutions that do encrypted packet inspection introduce latency into networks. The question is can ExtraHop avoid this. 100Gbps might sound fast, but this is not just about traffic flowing in and out of the network; it’s about all traffic.
To detect living-off-the-land techniques and avoid the failures of other solutions that Munos has called out, it must deal with all traffic across the network. While ExtraHop claims it is an unparalleled level of traffic inspection, customers will want to monitor it closely.
One benefit that ExtraHop is also claiming for Reveal(x) 360 is that it delivers forensic-level record data on encrypted traffic. It says this includes: “Information such as the specific SQL queries, commands sent via MS-RPC, and LDAP enumeration behavior.”
Enterprise Times: What does this mean?
Encryption has always been a double-edged sword. It protects data from malicious actors but, when misused, protects malicious actors from being detected. ExtraHop is looking to provide greater visibility into what is flowing around and not just in and out of a network.
It’s a key challenge. It provides a scale challenge given the volume of data flowing around a network. Additionally, it creates an analytics challenge as IT security teams have so much more data to deal with. With Reveal(x) 360, ExtraHop believes it can handle the scale of data and reduce the workload on security teams. It uses a mix of AI, statistical analysis and rules around network traffic to understand what it is seeing.
Importantly, the ability to deliver a forensic-level view on that data opens up new ways of looking at the type of data flowing around a network. For example, being able to see inside SQL queries at wire speed could detect signs of unauthorised data access much earlier.
What ExtraHop has not provided is any information from its early adopters. It would have been interesting to see how many previously undetected attacks were discovered. It would also have provided data on latency risks and deployment challenges to get the most effective locations to be monitoring.