Vectra Threat Labs™

Vectra AI automates security operations

Vectra AI overcomes today’s cybersecurity challenges by blending human expertise with a broad set of data science, machine learning techniques and deep learning to automate the manual, time-consuming work associated with security analysts.

By automating cyberattacker detection, analysis and incident response, Vectra AI condenses days or weeks of work into minutes, reducing the threat investigation workload by up to 29X.

How Vectra AI works

Using behavioral detection algorithms to analyze metadata from captured packets, Vectra detects hidden and unknown attacks in real time, whether traffic is encrypted or not. Vectra only analyzes metadata captured from packets, rather than performing deep-packet inspection, to protect user privacy without prying into sensitive payloads.

Global learning

Global learning identifies the fundamental traits that threats share across all enterprise organizations. Global learning begins with Vectra Threat Labs, a full-time group of cybersecurity experts and threat researchers who continually analyze malware, attack tools, techniques, and procedures to identify new and shifting trends in the threat landscape.

Their work informs the data science models used by Vectra AI, including supervised machine learning. It is used to analyze very large volumes of malicious and attack traffic and distill it down to the key characteristics that make malicious traffic unique.

Local learning

Local learning identifies what’s normal and abnormal in an enterprise’s network to reveal attack patterns. The key techniques used are unsupervised machine learning and anomaly detection. Vectra uses unsupervised machine learning models to learn about a specific customer environment, with no direct oversight by a data scientist.


Instead of concentrating on finding and reporting anomalies, Vectra looks for indicators of important phases of an attack or attack techniques, including signs that an attacker is exploring the network, evaluating hosts for attack, and using stolen credentials.

Integrated intelligence

Vectra condenses thousands of events and network traits to a single detection. Using techniques such as event correlation and host scoring, Vectra performs the following:

  • Correlates all detection events to specific hosts that show signs of threat behaviors.
  • Automatically scores every detection and host in terms of the threat severity and certainty using the Vectra Threat Certainty Index™.
  • Tracks each event over time and through every phase of the cyber-attack kill chain.

Vectra puts special focus on events that may jeopardize key assets inside the network or are of strategic value to an attacker. Devices that exhibit behaviors that cover multiple phases of the cyber-attack kill chain are also prioritized, as shown below.

White Papers

The data science behind Vectra AI threat detection models

The Vectra AI approach to threat detection blends human expertise with a broad set of data science and advanced machine learning techniques. This model delivers a continuous cycle of threat intelligence based on cutting-edge research, global and local learning models, deep learning, and neural networks.

How to automate security operations centers with AI

This white paper examines obstacles that enterprises face in combating cyber attacks, and how artificial intelligence is essential to modern security operations centers. AI can augment SOC teams to make operations more efficient, as well as detect the early signs of attacks in real time before key assets are stolen or damaged.

Research

  • Fighting the ransomware pandemic

    15 May 2017

    A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

  • The election hackers: Some uncovered points

    3 November 2016

    The group known as Fancy Bear, reportedly behind recent attacks against the U.S. Democratic National Committee and U.S. political figures, has been widely discussed. But some interesting details about these attackers have not been covered, and this blog aims to provide more details and fill in some of the blanks.

  • Moonlight: Targeted attacks in the Middle East

    26 October 2016

    Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

  • Triggering MS16-030 via Targeted Fuzzing

    11 October 2016

    The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.

  • Reverse engineering the Shadow Brokers dump: A close look at NOPEN

    12 September 2016

    While digging and reversing my way through the Equation Group dump, I've come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

  • In-depth technical analysis: Own a printer, own a network with point and print drive-by

    12 July 2016

    Printers present an interesting IoT example because they are more powerful than most other IoT devices but are not always considered real computers by most network administrators. This dichotomy is at the forefront of the printer watering-hole vulnerabilities CVE-2016-3238 (MS16-087) and CVE-2016-3239 discovered by Vectra Threat Labs.

  • How to interpret network-based malware detection

    23 May 2016

    This research paper by Vectra CSO Günter Ollmann examines the ecosystem nuances of network-based malware detection and the limits imposed on intelligence extraction of captured malware samples. It also explains the impact on organizations that strive to mitigate malware threats using network-based detection systems.

  • Insights from inside the kill chain

    20 April 2016

    The Spring 2016 Post-Intrusion Report from Vectra reveals that cyber attackers know they're being watched and are responding by blending in with users and hiding in normal network traffic. The report analyzed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016. All organizations showed signs of targeted attacks, including internal reconnaissance, lateral movement or data exfiltration.

  • Turning a webcam into a backdoor

    12 January 2016

    Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.

  • Critical vulnerabilities in Adobe Reader and Internet Explorer

    14 October 2015

    Today, Vectra researchers discovered critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer. The vulnerability in Adobe Reader (CVE-2015-6687) is a use-after-free bug that could lead to arbitrary code execution. An analysis of this and other recently patched Adobe vulnerabilities can be found here. Additionally, researchers found additional critical vulnerabilities (MS15-106 and MS15-108) that allow attackers to bypass Address Space Layout Randomization (ASLR) protections. These vulnerabilities are particularly significant because ASLR protects against memory corruption attacks by making the layout of memory unpredictable. As a result, any vulnerability that bypasses ASLR is highly valuable to attackers.

  • Belkin F9K1111 V1.04.10 firmware analysis

    18 August 2015

    Researchers in the Vectra Threat Labs recently analyzed vulnerabilities in the Belkin F9K1111 wireless repeater. This analysis includes a close inspection of the vulnerabilities, how they could be exploited, as well as fixes from vendor.

  • Zero-day vulnerability discovered in Internet Explorer 11

    14 July 2015

    Researchers in the Vectra Threat Labs recently discovered a high-severity vulnerability in the Internet Explorer 11 web browser. It's an exploitable use-after-free vulnerability that occurs within a custom heap in JSCRIPT9.

  • Post-Intrusion Report

    23 June 2015

    We observed spikes in reconnaissance and lateral movement, changes in command-and-control attack techniques, and a penchant for using hidden tunnels to conceal communication within HTTPS traffic. Check out the cool infographic

  • A technical analysis of Hola

    1 June 2015

    Lab researchers found that user machines that are loaded with the Hola privacy and unblocker application can enable a targeted, human-driven cyber-attack on the network they're connected to.

  • Post-Breach Industry Report

    5 November 2014

    This groundbreaking inaugural report reveals what cyber-attackers do inside your network after they evade perimeter defenses. Ironically, once inside, their actions create opportunities to stop them.

Loading...
LOADING

Analysis of industry threats

  • An analysis of the Shamoon 2 malware attack

    By Greg Linares, Vectra Threat Researcher, 7 February 2017

    During a recent analysis, Vectra came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents. These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network.

  • Shamoon 2: Same or better than the original?

    27 January 2017

    Shamoon 2 is similar what we are seeing with ransomware attacks. For example, sometimes there is no command-and-control (C&C) activity to trigger a detection. That's because it is often disabled when the goal is to destroy, not steal. This enables Shamoon to evade perimeter defenses.

  • Canary in the ransomware mine

    30 March 2016

    The use of ransomware canary file shares - like canary accounts in Active Directory and email -- can be a cheap and effective threat-mitigation approach. Sometimes the simplest methods can be the most effective.

  • Duqu threat actor stars in sequel

    12 June 2015

    Duqu is back with a vengeance. The latest strain, dubbed Duqu 2.0, performs recon, spreads laterally using Kerberos pass-the-hash, and elevates domain admin privileges to deliver MSI packages that infect hosts.

  • Dyre malware

    7 May 2015

    The latest Dyre malware techniques are the tip of the iceberg in an ongoing cat-and-mouse game between malware authors and security researchers. Among other things, it now knows when it's being run in a malware sandbox.

  • Superfish

    4 March 2015

    Adware. Bloatware. Crapware. Whatever you call it, Superfish software vulnerabilities are a sobering reminder that devices can be compromised even before they come out of the box. It's like starting a baseball game from second base.

  • Carbanak advanced persistent threat (APT)

    19 February 2015

    The notorious banking malware infiltrated over 100 financial institutions, where attackers stole upwards of $1 billion. It's a stark reminder of the importance of tracking any and all forms of remote access tunnels in the network.

  • Regin malware

    3 December 2014

    Purpose-built for state-sponsored espionage, highly sophisticated Regin malware has the ability to quietly infect, spread and persist within a targeted network for extended periods of time.

  • Shellshock vulnerability

    29 September 2014

    Predicting when new vulnerabilities will appear and figuring out the creative ways attackers will exploit them might seem like a losing battle. But there are ways you can catch these attackers in the act.

  • Heartbleed vulnerability detection

    22 August 2014

    The Heartbleed brute-force cyber-attack is quite unusual in terms of the network pattern it leaves behind in its wake. The good news is that it can be recognized if you use the right analytics tools.

  • Heartbleed vulnerability on the inside

    1 May 2014

    It's only a matter of time before the world sees more targeted attacks leverage Heartbleed to acquire key account credentials and use those hijacked credentials to get to your crown jewels.

Loading...
LOADING

Data science

  • Election 2016: The bungling of big data

    17 November 2016

    We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

  • Cybersecurity and machine learning: The right features can lead to success

    15 September 2015

    Is the need for lots of data justified? It depends on the problem machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should be associated with the choice of features.

  • Cybersecurity, data science and machine learning

    9 March 2015

    Data models that can distinguish normal benign network traffic from abnormal traffic can be used to build classifiers that provide a binary response -- good and bad -- to the traffic that's being analyzed.

  • Creating cybersecurity that thinks

    9 March 2015

    Malware-infected machines can be identified by observing their abnormal, post-infection behavior. Recognizing this behavior requires identifying what's normal and using rigorous analytical methods to detect anomalies.

  • How to detect insider threats

    10 January 2015

    There's usually not enough information available to determine an insider's intention or psychology in real-time. But many more cues can reveal themselves as the volume of collected behavior data increases.

  • Insider threats to critical infrastructure

    7 December 2014

    Remote access is a primary entry point for attacks due to the poor choice and design of remote access protocols. VPN tunnels and a restricted security zone (DMZ) for connections can minimize risk.

Loading...
LOADING