Expected metadata sharing activity, multi-home fronted tunnel and related Cognito detections
Cognito connects to Vectra cloud infrastructure to maintain health monitoring services for customers via api.vectranetworks.com and automatic updates via update2.vectranetworks.com. Additionally, for customers who have opted-in to sharing detection metadata with Vectra (for the purpose of improving overall detection efficacy), Cognito will connect to metadata.vectranetworks.com to send the detection metadata.
Metadata shared with Vectra over the connection includes anonymized detection and algorithm precursor event details. Personally identifiable information such as IP addresses, internal domain names, usernames, Kerberos services and names, is replaced with a salted hash of that information.
If Cognito sensors monitor the outbound connection of the management port to the internet, it may trigger Hidden HTTPS Tunnel, Multi-home fronted tunnel and/or Smash and Grab detections to api.vectranetworks.com, update2.vectranetworks.com and metadata.vectranetworks.com. This is because Cognito utilizes a tunnel connection over HTTPS to communicate with Vectra cloud infrastructure . Traffic is encrypted to a high level via this tunnel. Vectra does not whitelist or change any detection models because Cognito is the source or the Vectra cloud is the destination of the traffic.
Detection metadata sharing is sent via the tunnel consistently in small batches as detection or precursor events occur. Metadata activity will be consistent for customers with many detections or more sporadic for those with lower detection rates. This anonymized metadata stream typically triggers a C&C HTTPS Hidden Tunnel detection due to small volumes being sent over longer timespans, similar to typical C&C interactions.
Connections to the automatic update server (update2.vectranetworks.com) and Recall instances (collector.*.recall.vectra.ai) may result in Multi-home fronted tunnel detections.
Any instabilities in the tunnel connection between the Cognito Brain and the Vectra cloud will cause Cognito to wait until a stable connection can be reestablished before sending all of the detection metadata that has built up since the last transmission. The resulting larger transmission of data over the tunnel will trigger an Hidden HTTPS Tunnel Exfil or Smash and Grab detection as it is also sent in consecutive small batches until the backlog is depleted.
Vectra detections are demarcated based on active host sessions; typically a host session times out after 2 hours of inactivity on a given IP address. Each time a behavior repeats on a host session it will simply be added as another detail row on the existing detection container/page last-seen time and total volume being updated. In the case of the Vectra appliance, the host session will likely be active for an extended period and thus a small number of detections represent aggregate activity over several months.
On the hidden tunnel detection pages, each new detection event becomes a row on the Recent Activity table. This table consists of 100 rows of the most recent events that have triggered the algorithm to fire a detection. The summary widget in the upper left hand corner of the detection page provides the aggregated statistics for all of the detail rows including the time range spanned.
On the Smash and Grab detection pages, each new detection destination becomes a row on the Recent Activity table. This destination consists of up to 50 rows of the most recent events that have triggered the algorithm to fire a detection. There is no limit to the number of destination rows for a detection. The summary widget in the upper left hand corner of the detection page provides the aggregated statistics for all of the detail rows including the time range spanned.