Follow

Vectra Response to FireEye breach

FireEye has reported that a state-sponsored adversary stole their internal Red Teaming tools. The stolen tools did not contain 0-day exploits and were reported as being “simple scripts” and “similar to publicly available technologies such as CobaltStrike and Metasploit.” While the technology may be different the underlying attack behaviors remain the same.
This leads neatly onto the main selling point and benefit of the Vectra Cognito platform above and beyond a traditional signature-based system.

Since our platform looks for network behaviors instead of signatures there is rarely a need for us to implement detections for specific attacks. Identifying attacks by signature relies on having up to date signatures for every attack, a race which can never be won by the SOC. Our detection portfolio relies on detecting the attacker's actions without needing to know the specific version of the specific tool the attacker uses.

Even if we do find individual attacks listed that would not be covered by our existing detection portfolio, the breadth of detections we do offer is extremely likely to detect the majority of an attacker's behavior, and therefore a number of existing Cognito detections would be triggered as soon as the attacker starts exploring a target environment.

Vectra's Security Research team has enhanced our Recall product to identify some of the signatures published by FireEye. These searches can be used as custom detections in Detect for enhanced alerting and detections. The saved searches are listed below: 

  • Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original Stager
  • Cognito TTP - HTTP - FireEye Red Team Tools GORAT.[SID1]
  • Cognito TTP - HTTP - FireEye Red Team Tools CSBundle NYTIMES GET
  • Cognito TTP - HTTP - FireEye Red Team Tools USAToday GET
  • Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original POST
  • Cognito TTP - HTTP - FireEye Red Team Tools Yelp Request
  • Cognito TTP - HTTP - FireEye Red Team Tools NYTIMES POST
  • Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original GET
  • Cognito TTP - X509 - FireEye Red Team Tools CSBundle Ajax
  • Cognito TTP - HTTP - FireEye Red Team Tools Office POST
For some additional detail, please see Vectra's blog about this here:

 

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.