Being the Hunter in ExtraHop
I went to the ExtraHop Demo Website I picked the be the hunter scenario. This is supposed to simulate the different stages of a real-world attack to show how the ExtraHop Reveal(x) product can detect and respond to a threat. Here is a document that shows how the ExtraHop system works (Introduction to the ExtraHop system.dotx). All the demos look interesting and for the Log4j demo there is a blog explaining how the vulnerability exploited (Log4j Exploits Explained).
Exploring ExtraHop
There is a list of what has been detected in the environment. There is a scoring mechanism and the highest rated seems to be exploitation or where actions on objective have been observed. What is interesting is how the product has even detected reconnaissance attempts, lateral movement, command & control, and vulnerability around lack of hardened systems.
When selecting one of these vulnerabilities you can see details and can interact with the UI to even see where the external endpoint is (Russia).
Can even see the victim machine and scrolling down the details there is a link to activity maps.
The activity map is interactive and shows quite a bit more detail about how this one system being compromised affected other workstations.
Even Detailed Records and Packets of all the activities related to this vulnerability that was exploited.
There is information referenced from MITRE and background information about the attack. There’s also information and links for CVE at the bottom of the section.
What’s also neat is how you can go to the MITRE MAP and see all the various types of detections that have been discovered.
The Overview has information related to Threat Briefings, Open Detections, Detection Types, Detections by Operations Category, and Top Offenders. The Dashboard has quite a bit of information about the overall Active Directory setup.
There is a Threat Hunting Dashboard and here you can drill down to investigate various threats.
There is even a listing of Assets and what kinds of activity has been detected.
You can even look through Packets and download packet captures (PCAP).
CSIRT and SOC ExtraHop Usage
From Johansen’s book, the Computer Security Incident Response Team (CSIRT) core team consists of personnel who have incident response duties that are proactive and reactive. The proactive services include providing training to non-CSIRT staff, providing summaries on emerging security threats, testing and deployment of security tools such as endpoint detection and response tools, and assisting security operations by crafting IDS/IPS alerting rules (Johansen, 2020). The reactive services revolve around responding to incidents as they occur, and address the entire incident response process including the acquisition and examination of evidence, assisting in containment, eradication, and recovery efforts, and finally documenting the incident (Johansen, 2022). The Security Operations Center (SOC) serves as the point person when it comes to incident detection and alerting. The SOC analyst is trained in incident identification and response techniques and serves as an almost immediate response to a potential security incident (Johansen, 2022).
CSIRT and SOC ExtraHop MITRE ATT&CK
For the SOC analyst ExtraHop could help to quickly detect and automate alerts as well as prioritize them to address critical vulnerabilities or even active attacks. There is even tooling within ExtraHop to actively stop attacks before they go any further. For the CSIRT, the ExtraHop MITRE Map can definitely be insightful to determine if there are many Initial Access, Execution, Persistence, Privilege Escallation, Defense Evation, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control, or Impacts. This may help the CSIRT address the greatest types of MITRE ATT&CK vulnerabilities detected to focus an effort to address security deficiencies. Both the CSIRT and the SOC analyst can leverage things like the ExtraHop Activity Map functionality to detect which other machines have been compromised, and then leverage traffic data that has already been collected. This data can then be saved and stored as network evidence for future analysis.
Tool Aggregation Advantages
The tool is impressive and visually appealing and the integration of multiple systems and all the data from those systems can help the CS Analyst more quickly determine if there has been a breach. It would take a lot of manual effort to look into all the various assets and determine that there was something wrong. Then afterwards to trace through all the other interconnected machines and then check each machine would be very tedious work. There is even a good chance you would miss detecting something and leaving a compromised asset unchecked for months or years before knowing something was wrong. Having everything linked and integrated into one tool definitely has advantages with speed to analyze and then address issues very real time.
Reference
- ExtraHop Demo Website
- Introduction to the ExtraHop system Document
- Log4j Exploits Explained
- Johansen, G. (2020). Digital Forensics and incident response: Incident response techniques and procedures to respond to modern cyber threats. Packt Publishing Limited.