Steve Dakhe didn’t know what to expect when he received an urgent call from an ExtraHop customer following an unexpected red team exercise. As it happened, Dakhe, a customer success manager with ExtraHop, had no need to worry; the customer was calling him to explain how well the ExtraHop Reveal(x) network detection and response (NDR) platform performed.
Reveal(x) detected more than a dozen attacker tactics and techniques the red team used, according to the customer’s SOC director. Reveal(x) “lit up like a Christmas tree,” he said, and saw “everything” when attackers installed a command and control (C2) beacon, moved laterally, employed living off the land techniques, and more.
On the First Day of Christmas My Red Team Sent to Me: Social Engineering
The red team exercise began with a social engineering attack in order to bypass the organization’s email security. Members of the red team, pretending to be part of the organization’s IT staff, called employees and asked them to install would-be network speed testing software. A couple of employees took the bait and downloaded malware disguised as the speed testing software onto their computers.
The malware on employees’ computers–which the company’s endpoint security tools didn’t detect–used PowerShell and WMIC to prompt the remote launch of a Cobalt Strike beacon. Reveal(x) immediately picked up on that activity. And when the Cobalt Strike beacon established a command and control (C2) connection, Reveal(x) picked up on that, too...Read More!
