What is Vectra Threat Intel?
Vectra threat intel is a set of threat intelligence feeds managed and curated by Vectra. Threat intelligence can provide fast, labeled coverage of known threats. This capability augments the existing AI behavioral detections which provide broad durable coverage for both known and unknown threats. Combining the signal from behavioral detections with high quality threat intelligence that is constantly updated allows for the best of both worlds: durable coverage for known and unknown threats with the speed of detection and confidence to respond.
Who has access to Vectra Threat Intel?
Vectra Threat Intel is available to all customers with their Detect license. The feature has been enabled by default on all systems.
Where does Vectra Threat Intel come from?
Vectra Threat Intel’s IoC are curated and managed directly by Vectra. Vectra threat intel does not rely on any open source threat feeds and only considered the highest quality indicators to ensure no threat goes undetected. Indicators are continuously updated to keep up with the evolving attacker landscape and maximize the relevance of the tracked indicators.
What functionality comes from Vectra Threat Intel?
Vectra Threat Intel contains the IP and domain indicators which feeds the Vectra Threat Intel Match detection. This detection monitors all in-to-out traffic and all DNS requests to find threat actors connecting or attempting to connect to attacker infrastructure.
Each alert’s page contains rich context about the data exchange, connection times and most importantly the names of the threat actors and the tools that have been associated with the IoCs. Included with the detections are PCAP captures that are relevant to the flagged IoCs for deeper inspection into attacker’s actions. Interacting with the IP’s and domains which have been alerted on provide additional information to help jump start investigations like other related IOCs and whois information.
Vectra Threat Intelligence is not available for use outside of the Detect platform.
Why do I see the same IOC on a host machine and my name server / domain controller?
In some environments when an IOC matches on a host there may be an alert for that IOC on the name server. This does not necessarily mean that the name server or domain controller is infected or interacting with an attackers infrastructure, but instead this may be the result of the name server / domain controller resolving the IOC on behalf of the host.
Can I use my own threat intel with Vectra?
Customers who have threat intel feeds relevant to their own environment or from other providers can upload them as STIX files to device.dpl.tvec/manage/threat-feeds. Matches against the uploaded indicators will appear as Threat Intel Match detections.
Custom threat intel feeds can be used in conjunction with Vectra Threat Intel and will behave independently with both contributing to host scoring.
How should I investigate Vectra Threat Intel Match alert?
When a Vectra Threat Intel Match occurs we recommend reviewing the alerts in the context of other alerted behaviors to best understand the nature of the reported threat.
When single alerts trigger, we recommend you begin by interacting directly with the domains and IPs to understand what is publicly known about the indicators including what other software might have flagged the IOC and what malicious files might reference it.
How are Vectra Threat Intel Match alerts scored?
The threat score [50‒99] is determined by volume of data that is transferred and the certainty score [30-90] is determined by the confidence low, medium or high that Vectra has in the associated threat indicator.
What information is in the Attacker Details field?
The attacker detail field contains information about relationships between the flagged indicator and attacker groups, attacker tools and actions that stem from the indicator. In some cases we may be confident in the malicious actions related to an indicator but may not be able to provide any related Attacker Details.
How can I triage Vectra Threat Intel Match alerts?
Vectra Threat Intel Matches can be triaged using Attacker Detail, IP or Domain.
Why do I see Vectra Threat Intel Match alerts with 0 bytes?
Vectra Threat Intel Match alerts will report when attackers connect or attempt to connect to external control points. These connections may be blocked or occur with no data transfer. When these connections occur 0 bytes will be reported, TCP and UDP header bytes are not reported.
Why can I not find references to the attacker group being associated with the alerted indicator on the internet?
Vectra Threat Intelligence does not come from open source feeds and so will often times include context on the attacker details that are not openly available online.
Can I disable Vectra Threat Intel?
Customers who wish not to receive matches against Vectra Threat Intelligence have the ability to create triage rules against the alerts as well as disable all alerts from the Manage / Threat Feeds page brain.dpl.tvec/manage/threat-feeds.