High Volume of Hidden HTTPS Tunnel with Type Abnormal Beacon

Vectra uses multiple algorithm approaches to identify hidden tunnels. One approach is driven by the observation of active beacons with anomalous TLS infrastructure and target destinations. The tunnel events identified with this approach are reported with a triagable Tunnel Type value of, "Multiple short TCP sessions - Abnormal Beacon".

While we have optimized this alert to adapt and evolve to each customer environment some customers may find that "Multiple short TCP sessions - Abnormal Beacon" alerts may be too sensitive for parts of their environment. In these cases we recommend creating a triage rule applied only to the "Multiple short TCP sessions - Abnormal Beacon" type tunnel alert and if possible defining a set of subnets where this logic should apply. Even with this triage rule in place customers will still have effective scored coverage for Hidden HTTPS Tunnel behavior that is generated using active command and control tools Cobalt Strike and Metasploit from other types of Vectra tunnels. Any triaged alerts will also remain visible in the console for review in the context of other host detections.
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request


Article is closed for comments.