ExtraHop expands decryption capabilities in Microsoft environments

The new decryption product, named ExtraHop Reveal(x) 360, detects a new class of advanced attacks, including ‘living-off-the-land’ and Active Directory Kerberos Golden Ticket attacks, which exploit proprietary Microsoft protocols to evade security controls and traditional monitoring tools.

The newly released product also detects high risk Common Vulnerabilities and Exposures (CVE) exploitation, such as PrintNightmare, ZeroLogon, and ProxyLogon, as well as providing proactive defense against future zero-day exploits.

Unlike more traditional measures such as next-generation firewalls (NGFW) and web proxies, ExtraHop Reveal(x) 360 detects sophisticated emerging attack techniques with decryption of commonly abused Microsoft protocols, such as SMBv3, Active Directory Kerberos and Microsoft Remote Procedure Call (MS-RPC).

This capability also detects post-compromise activity that may be missed by encrypted traffic analysis (ETA), including ransomware campaigns that exploit the PrintNightmare vulnerability.

Double-extortion ransomware: the new trend for businesses to prepare for

Chris Huggett, senior vice-president EMEA at Sungard Availability Services, discusses what to consider about double-extortion ransomware. Read here

“Organisations are blind to encrypted malicious activity happening laterally within the east-west corridor,” said Sri Sundaralingam, vice-president, security and cloud solutions at ExtraHop.

“Even technologies like firewalls and encrypted traffic analysis that claim to provide visibility fail to detect attacks that use encrypted communications to exploit vulnerabilities commonly seen in advanced threat campaigns.

“ExtraHop Reveal(x) 360 can identify — with fidelity — exploitation and protocol abuse associated with major CVEs, both today and in the future.”

Encrypted protocols

According to a global Joint Cybersecurity Advisory, encrypted protocols such as Microsoft Server Message Block v3 are used to mask lateral movement and other advanced tactics in 60% of the 30 most exploited network vulnerabilities.

Of the top 11 most exploited vulnerabilities, four involve Microsoft systems, and three of those four can be exploited via an encrypted channel.

With Microsoft Active Directory and Microsoft Exchange proving common targets for threat actors in recent times, security measures need to constantly evolve to ensure proper protection.

“In 2021, the sophistication of ransomware has increased significantly, with techniques that were once the sole purview of nation states now regularly being used for illicit financial gain,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG) Research.

“This new class of attacks, including Living-off-the-Land and Active Directory Golden Ticket, exploit organisations’ biggest blind spot — encrypted traffic. ExtraHop has long supported secure decryption of east-west SSL and TLS 1.3 traffic, and can now extend that support for critical Microsoft protocols at the centre of today’s most insidious attacks.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.