Story image

ExtraHop launches decryption support for Microsoft to halt advanced attacks

By Catherine Knowles, Tue 9 Nov 2021

ExtraHop has expanded decryption support for Microsoft authentication and application protocols, providing high fidelity detection of malicious activity associated with nearly two thirds of the most exploited network protocols.

This decryption capability detects a new class of advanced attacks, including 'living off the land' and Active Directory Kerberos Golden Ticket attacks.

These attacks exploit proprietary Microsoft protocols to evade security controls and traditional monitoring tools such as next-generation firewalls (NGFW) and web proxies.

Advanced decryption also detects high risk CVE exploitation such as PrintNightmare, ZeroLogon, and ProxyLogon, and provides proactive defence against future zero day exploits, ExtraHop states.

According to a Joint Cybersecurity Advisory, encrypted protocols such as Microsoft Server Message Block v3 are used to mask lateral movement and other advanced tactics in 60% of the 30 most exploited network vulnerabilities.

Of the top 11 most exploited vulnerabilities, four involve Microsoft systems, and three of those four can be exploited via an encrypted channel.

To combat this, ExtraHop Reveal(x) 360 detects sophisticated emerging attack techniques with line-rate decryption of the most commonly abused Microsoft protocols, including SMBv3, Active Directory Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP, WINRM, in addition to TLS 1.3.

This decryption capability also detects post-compromise activity that encrypted traffic analysis (ETA) misses, including ransomware campaigns that exploit the PrintNightmare vulnerability, ExtraHop states.

ExtraHop Reveal(x) 360 works to securely decrypt and fully parse Microsoft Active Directory authentication protocols (Kerberos and NTLM) and Microsoft Windows application-level protocols using passive, out of band decryption for rapid and accurate detection of advanced threat activity, the company states.

Reveal(x) 360 also provides forensic level record data on encrypted traffic, including specific SQL queries, commands sent via MS-RPC, and LDAP enumeration behaviour for comprehensive investigation and response.

Overall, customers can leverage Reveal(x) 360 to:

  • Prevent unauthorised access and privilege escalation attempts via Microsoft Active Directory infrastructure.
  • Monitor for 'living off the land' tactics used during east-west lateral movements to expose hidden threats.
  • Defend against high risk vulnerabilities like PrintNightmare and Microsoft Active Directory being exploited in advanced threat campaigns to carry out disruptive attacks.

ESG Research senior principal analyst Jon Oltsik says, "In 2021, the sophistication of ransomware has increased significantly, with techniques that were once the sole purview of nation states now regularly being used for illicit financial gain.

"This new class of attacks, including 'living off the land' and Active Directory Golden Ticket, exploit organisations' biggest blind spot encrypted traffic.

"ExtraHop has long supported secure decryption of east-west SSL and TLS 1.3 traffic, and can now extend that support for critical Microsoft protocols at the centre of today's most insidious attacks."

ExtraHop VP security and cloud solutions Sri Sundaralingam says, "Organisations are blind to encrypted malicious activity happening laterally within the east-west corridor.

"Even technologies like firewalls and encrypted traffic analysis that claim to provide visibility fail to detect attacks that use encrypted communications to exploit vulnerabilities commonly seen in advanced threat campaigns.

"ExtraHop Reveal(x) 360 can identify with fidelity exploitation and protocol abuse associated with major CVEs, both today and in the future."

Recent stories
More stories