Vectra Threat Intelligence Match

Triggers

• After configuration of a 3rd party intelligence thread feed, an internal host has been observed either generating DNS activity or making direct connections associated with malicious external IPs or Domains identified by Vectra Threat Intelligence.

Possible Root Causes

• A host is communicating with a confirmed malicious IP or Domain that may be associated with staged malware, command and control, or client-side attacks.
• A user has been redirected to a site associated with phishing or credential compromise.
• A host is communicating with a benign service co-hosted on an IP or Domain with a poor or malicious reputation.

Business Impact

• Compromised assets or user credentials provide adversaries with the internal foothold necessary to begin to stage an attack.
• The identification of internal connections to known bad IP addresses or domains demonstrates positive risk to organizational assets and users and may indicate active attack progression.

Steps to Verify

• Investigate the host and accounts associated for further indications of compromise.
• Using appropriate operational security and safeguards, verify the risk posed by this known bad IP or Domain by consulting external third party sources.
• Verify if supplemental preventative security controls protected the asset from full communication.
• In the case of phishing, verify with the user if credentials may have been compromised or take appropriate risk-based containment activities to include session revocation and password resets.
• Verify host integrity, the presence of new, unauthorized, or malicious software, and take appropriate incident handling or response activities.

‍