For many organizations considering Network Detection and Response (NDR), one of the most valuable steps in the evaluation process is a “Proof of Value” or “POV”. In this step in the evaluation process, the organization tests a limited deployment of the NDR (in our case, Clear NDR™ - Enterprise) on their network to see how it operates in their environment.
Oftentimes, when we engage in a POV with a potential customer, we notice that Clear NDR frequently identifies threats or other vulnerabilities missed by the organization’s current security tools. This is where the “Value” comes into play. By showing how Clear NDR operates on an organization’s network, we can demonstrate just how effective NDR actually is.
In this blog post, we are going to share some results from a recent POV we did with a potential customer, where Clear NDR was able to detect a serious breach that another NDR being evaluated at the same time did not identify.
Background
A large bank in southern Europe faced a number of cybersecurity challenges that they sought to solve using network based detection. These challenges, such as sophisticated threats and a lack of visibility into network infrastructure, were causing the organization to miss breaches and internal policy violations that could have serious compliance implications. During their POV, this organization tested Clear NDR against another popular network detection and response (NDR) solution.
After deploying Clear NDR, they were able to discover a significant breach in progress and take action to remediate the threats before they could cause lasting damage.
What we found
The organization evaluated Clear NDR for a total of 30 days, in which time Clear NDR observed and analyzed over 332 TB of network traffic and collected insights of more than 6.8 billion network communication logs (including hosts, websites, devices, and more) from both within and outside of the organization.
Among those events, the Clear NDR Server generated 11.6 million raw detection events (alerts). These were further classified and escalated by Clear NDR to identify the most serious and imminent threats such as Lateral Scans, Brute Force Attack, Newly Registered Domains (NRD) with High-Entropy, and Malicious Domain Generation Algorithm (DGA) domains.
From this data, 32 Declarations of Compromise (DoCs) were automatically produced, triaged and seen on 26 network assets. This was on top of any Declarations of Policy Violations discovered as additional threats.
As a reminder, DoCs are an innovation feature unique to Clear NDR — ultra high-confidence and high-priority security events that indicate a “serious and imminent” threat on an asset. Clear NDR has DoC coverage for thousands of known threats and TTPs using hundreds of different detection methods. When Clear NDR generates a DoC, it creates a data record that contains a substantial amount of meta data and associated artifacts that help the analyst understand exactly why it triggered and provide evidence for any investigation that may follow.
Clear NDR recorded all the evidence needed for remediation, including fully transparent detection logic disclosure, protocol transaction data, file information, flow and anomaly transaction logs, and network forensic evidence in the form of packet capture files (PCAP).
In this example, we will focus on two major threat groups — Entropy HTTP and TLS communication and Lateral Scans.
Entropy HTTP and TLS Communication
Clear NDR includes an AI Entropy evaluation algorithm on newly registered domains (NRD). By employing advanced techniques such as machine learning and entropy analysis, Clear NDR can identify active HTTP and TLS connections to high entropy phishing domains in HTTP hostname and TLS SNI.
In the following screenshot, some of the high entropy URLs are shown :
Many of these detected phishing communications have already been highlighted by other security vendors, such as Virus Total:
Lateral Scans
Lateral scanning refers to the technique of scanning a network from a compromised system to identify other vulnerable systems. Attackers can use this technique to move laterally within a network and gain access to more sensitive systems.
The following screenshot highlights the Lateral Scan coverage section in which there are different IP addresses used for pentesting, including the last logged on user and which stage in the cyber kill chain the actions were done — in this case, “Actions on Objectives”.
In this screenshot below we can see exactly what happened here. A command line Python-based HTTP server spawned, from an internal and unexpected host location. To add to this is command line tooling, we can see a “living off the land” technique that should be immediately investigated further on the host.
The script, part of which is seen above on the screenshot contains offensive techniques and code meant to deploy on the breached victim / endpoint. The Get-PassHashes function call likely indicates the script is intended to retrieve password hashes.
In this case, the payload dumps password hashes using the modified powerdump script from MSF using administrator privileges.
There were several other instances of lateral scanning activity highlighted via different detection mechanisms on this organization’s network, using a Log4j vulnerability, a Microsoft DNS ZeroLogon vulnerability, and more.
Why this matters
We are unable to share the specific details of Stamus Networks’ recommendations to this organization, but it is clear from the activity found that this organization was experiencing a significant breach. Armed with this information — and Clear NDR — the organization is now enabled to remediate these threats before the breach causes lasting damage.
The other NDR the organization tested during the evaluation phase failed to catch many of these critical security events, and the organization likely would have remained unaware if not for Clear NDR.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks. To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help.
To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
