Vectra, the leader in†automating the hunt for in-progress cyberattacks, announced the ability for its customers to integrate threat intelligence and indicator-of-compromise (IoC) feeds into its Cognito platform to further improve their threat detection coverage. In addition, the Cognito platform adds new detections for attacker reconnaissance of Active Directory involving LDAP and Kerberos protocols, and limited-time sharing links to simplify the sharing of critical information during a threat investigation.
Growing demand to automate threat hunting and the company’s recent advances spurred a 294 percent increase in 3Q2017 revenue compared to the same quarter last year, for a second consecutive quarter of triple-digit revenue growth. ††
Cognito adds detections based on the threat intelligence and IoCs†
The Cognito platform from Vectra further automates threat hunting by enabling customers to import importing local and industry-specific indicators of compromise (IoCs) consisting of malicious IP addresses, domains, URLs or user agents expressed in†Structured Threat Information eXpression†(STIX) Version 1.2 files.
Detections based on IoCs include a packet capture (PCAP), and are correlated with all other Cognito attacker behavior detections to provide rich context and are scored based on risk to prioritize the response. The Cognito API automates the upload of STIX files, such as the threat intelligence feeds of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and each file is assigned a relevant attack phase category – command and control, reconnaissance, lateral movement or exfiltration.
“This integration will further improve the workload of our security operations team,” said†Beau Canada, VP of Information Security at Ticketmaster. “AI automates the hunt for unknown threats and IoCs enable detection for known threats. Automated real-time correlation, scoring and prioritization of both types of threats with PCAPs will improve the efficiency and effectiveness of security operations.”
“Many enterprise organizations are building internal programs and processes for threat intelligence consumption, analysis, and operationalization, and this trend will likely continue,” said†Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). “According to ESG research, 27 percent of cybersecurity professionals working at enterprise organizations say that spending on their organizations’ threat intelligence programs will increase significantly over the next 12 to 18 months, while another 45 percent say that threat intelligence spending will increase somewhat during this timeframe.”
“Customers use Cognito to automate manual threat hunting, triage, and correlation so they can respond to threats in real time,” said†Kevin Kennedy, vice president of product management at Vectra. “By enabling them to integrate threat intelligence and IoC feeds into Cognito, we are putting even more context at the security analyst’s fingertips and enabling them to focus on the critical role of confirming and responding to cyberattacks before data is stolen.”
Cognito adds Active Directory reconnaissance detections
Reconnaissance of an enterprise’s Active Directory (AD) infrastructure is a critical part of an advanced attacker’s tool kit to identify accounts with administrative privilege, which enables them to access systems with sensitive data. Vectra has added new detection algorithms to its Cognito platform to detect these attacker behaviors through the LDAP and Kerberos protocols.
Suspicious LDAP Query†– Through carefully chosen LDAP queries of the AD server, an attacker can discover group membership, directory structure, and privileged accounts and groups. This information enables attackers to determine which credentials they need to obtain to move deeper into a network and gain access to restricted areas. The Suspicious LDAP Query detection algorithm tracks LDAP communication and identifies rare LDAP queries that have a higher likelihood of being associated with an attack and are unusual in the local environment.
Kerberos Brute Force†– Though blunt and inelegant, brute-force and dictionary attacks can be called upon to gain unauthorized access to systems that perform authentication either locally or via the Kerberos protocol. This algorithm monitors all Kerberos authentication events on a network, learns the typical volumes for each account and triggers when activity consistent with a brute-force attempt occurs. To optimize context for the security team, the detection includes the volume, client, account and domain controller involved in the authentication attempt.
These new detections provide early indications of existing administrative credential abuse and administrative protocol abuse lateral-movement detections. A combination of detecting these new reconnaissance and existing lateral movement behaviors by Cognito results in a critical-risk score, which drives a higher priority incident verification and response.
Limited-time sharing links simplifies security collaboration
Cognito introduces the ability to create limited-time sharing links to specific host and detection pages. This enables the security team to quickly and easily engage IT team members who don’t have an account on Cognito to reduce the time to confirm and respond to an active cyberattack. Simplifying the sharing of information with other IT functions ensures security operations teams gain clarity on the observed behavior, faster understanding by all people involved in a threat investigation, and shorter time to resolution.
General availability
Cognito Version 3.11 is currently available and includes all the capabilities in this news release: threat intelligence integration, the Suspicious LDAP Query and Kerberos Brute Force detections, and limited-time sharing links.