Giving incident responders deeper context about what happened

Posted by Cognito on Jun 4, 2018 9:54:43 AM

If you’re joining me for the first time, I want to introduce myself. I am Cognito, the AI cybersecurity platform from Vectra. My passion is hunting-down cyberattackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Cybersecurity analysts are overwhelmed with security events that need to be triaged, analyzed, correlated and prioritized. If you’re an analyst, you probably have some incredible skills but are being held back by tedious, manual work.

Read More »

Topics: Malware Attacks, Cyberattacks, IoT, network security, cybersecurity, Data Center, cloud, AI, Threat Detection

Moonlight – Targeted attacks in the Middle East

Posted by Chris Doman on Oct 26, 2016 1:30:00 AM

Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

Read More »

Topics: Targeted Attacks, Malware Attacks, cyber security, Threat Labs

Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Posted by Chris Morales on Sep 12, 2016 11:58:00 PM

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve.  While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump.  And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop.  One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure.  It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.

Read More »

Topics: Malware Attacks, cyber security, Detection

Plan on losing visibility of your network traffic: Steps to take control

Posted by Günter Ollmann on Mar 8, 2016 11:49:57 AM

The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.

Read More »

Topics: Malware Attacks, SSL Encryption

Think outside the sandbox

Posted by Jerish Parapurath on Jul 8, 2015 2:31:12 PM

As cyber attacks increase in frequency and complexity, organizations continue to invest in prevention-centric technologies to secure their network perimeter. However, prevention-centric technologies are less than prefect. They protect networks from known threats using a combination of security rules, signatures and reputation lists.

A critical component of today’s network perimeter security is the file-based sandboxThey were created to analyze suspicious files on isolated hosts – many with different operating systems – in a contained environment.

Read More »

Topics: Malware Attacks, Cyberattacks, Automated Breach Detection

Automate detection of cyber threats in real time. Why wait?

Posted by Jerish Parapurath on May 15, 2015 10:01:43 AM

Time is a big expense when it comes to detecting cyber threats and malware. The proliferation of new malware variants makes it impossible to detect and prevent zero-day threats in real-time. Sandboxing takes at least 30 minutes to analyze a file and deliver a signature – and by then, threats will have spread to many more endpoints. 

Read More »

Topics: Targeted Attacks, Malware Attacks, Data Science, machine learning

Dyre Malware Games the Test

Posted by Wade Williamson on May 7, 2015 12:45:23 PM

The Dyre family of banking malware is back in the news after researchers recently observed that the malware incorporated tricks to avoid detection in malware sandboxes. Previously, Dyre was most notable for targeting high-value bank accounts, including business accounts, and incorporating sophisticated social engineering components to overcome the 2-factor authentication used by most banks.

In this latest twist, the Dyre malware aims to identify when it is being run in a malware sandbox by counting the cores of the machine on which it is running. The trick, in this case, is that many malware sandboxes will run as a virtual machine with only a single processor and single core in order to conserve resources. Malware sandboxes have to analyze a very large number of files, so each virtual machine often gets provisioned with a bare minimum of resources in order to run as many VMs as possible. 

Read More »

Topics: Malware Attacks

The Carbanak APT - Redefining Banking Malware

Posted by Wade Williamson on Feb 19, 2015 3:00:00 PM

Recent research from Kaspersky has revealed a massive criminal campaign that was able to infiltrate more than 100 different banks and steal upwards of $1 billion from the affected institutions. Kaspersky dubbed this operation the Carbanak APT due to a connection between the malware used in the attacks and the now infamous Carberp banking botnet.

Read More »

Topics: Malware Attacks, Cyberattacks, Finance

Applying Vectra to the Regin Malware

Posted by Wade Williamson on Dec 3, 2014 7:20:18 AM

Researchers at Symantec have recently disclosed the presence of a highly sophisticated malware platform known as ‘Regin’. This new strain of malware instantly joins Stuxnet, Flame, and Duqu on the list of some of the most advanced malware ever seen. And like the other members of this elite state-sponsored fraternity, Regin malware appears to be purpose-built for espionage with the ability to quietly infect, spread, and persist within a target network for long periods of time.

Read More »

Topics: Malware Attacks, Cyberattacks, Nation-State Attacks

Attackers Lurk in my Network, but Nothing Reports it

Posted by Jerish Parapurath on Nov 10, 2014 12:29:00 PM

Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.

The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses.

Read More »

Topics: Targeted Attacks, Malware Attacks, Post Breach Detection

Detecting Future Heartbleed Security Exploits

Posted by Oliver Tavakoli, CTO, Vectra Networks on Aug 22, 2014 2:47:00 PM

Reading Steve Ragan's write-up on the recent Community Health Systems breach in CSO online took me back to my blog post on Heartbleed from the Inside from May 1, 2014 that included this cautionary note.

"It's only a matter of time – actually, it's probably already happening – before we see targeted attacks that utilize Heartbleed as one of the weapons in the attackers' arsenal to acquire key account credentials and use those credentials to get to the crown jewels."

Read More »

Topics: Malware Attacks, Heartbleed

Art of Scoring Malware Detections – Friend or Foe?

Posted by Oliver Tavakoli, CTO, Vectra Networks on Aug 15, 2014 7:00:00 AM

As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.

One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.

Read More »

Topics: Malware Attacks

Responding to a Priority One Malware Attack

Posted by Jason Tesarz, System Engineer, Vectra Networks on May 7, 2014 9:00:00 AM

If you are an SE like me, then you have probably experienced a 'priority one' incident response with your customer. Things are on fire and you call in all the reinforcements you can. If you are an IT or security guy, then you have probably placed the call for help. Either way, you will understand.

Here's the customer scenario. It's fire drill time. Internet connectivity and applications are going down and everyone is panicking. Your organization has been either compromised by malware or you are being actively attacked. Now is the time that all of your security products need to be working, and working well.
Read More »

Topics: Malware Attacks

Divining Attacker Intent

Posted by Oliver Tavakoli, CTO, Vectra Networks on Apr 16, 2014 5:51:00 PM

In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.

Much of this multi-stage malware starts off with a small dropper that only represents the initial stage of an exploit. We’ve seen small droppers come bundled in Microsoft Word documents, PDF files and spreadsheets attached to emails or be retrieved when browsers access URLs – whether the user clicks on a link embedded in an email or visits a compromised web site.
Read More »

Topics: Targeted Attacks, Malware Attacks

Security Report Season: what malware does versus what it is.

Posted by Oliver Tavakoli, CTO, Vectra Networks on Apr 2, 2014 9:47:00 AM

The first quarter of every year in the security business brings every imaginable retrospective of all the bad things that happened the prior year. This year is no different. As I read this year's crop of reports (this required several cups of coffee), I was struck by the fact that much of the focus continues to be on malware families, which I call "the race to win the naming game," and the number of zero-day threats found.

The naming game is always an interesting one. It leads to names like Kelihos (aka Hlux), ZeroAccess (aka Sirefef), Zeus (aka Zbot) and the usual rogues' gallery of malware. While the desire to name things is all too human (after all, it helps us communicate about complex things with very little effort), when you juxtapose the number of malware variants against the desire to name them all, you can see that we're facing an uphill battle.
Read More »

Topics: Malware Attacks

Does Your Security Architecture Adapt to Changing Threats?

Posted by Mike Banic, VP of Marketing on Mar 25, 2014 6:12:00 AM

Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.

But what do you do?

A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers.

Read More »

Topics: Targeted Attacks, Malware Attacks

Subscribe to the Vectra Blog

Recent Posts

Posts by Topic

Follow us