Triggers
- A host transmits unusually large volumes of data to destinations which are not considered normal for this network
Possible Root Causes
- An attacker is rapidly exfiltrating large volumes of data from your network
- The host is sending large volumes of data to destinations that have not been previously used for large data transfers
Business Impact
- he detection signals possible exfiltration of company data
- The host from which the data was sent, the destination to which the data was sent and the volume of data transmitted may provide some clues to what data was transmitted
- If the external service to which data was uploaded is not an IT-sanctioned service, the potential business risk is high
Steps to Verify
- Check to see if the destination IP or domain to which data was moved is an entity you trust for your network
- Ask the user of the host whether they have any knowledge of the data transfer
- If the data transfer is unexplained and your endpoint security solution logs such things, determine what software on the host was responsible for the data transfer
FAQ
What constitutes an 'unusually large' volume of data for Smash and Grab detection?
This varies based on normal network behavior. Vectra AI benchmarks normal data transfer volumes and flags deviations that significantly exceed typical patterns.
How does Vectra AI differentiate between legitimate large data transfers and Smash and Grab activities?
Vectra AI employs advanced analytics that consider various factors, including the nature of the destination, data transfer rate, and historical behavior patterns of the host.
What immediate steps should be taken if Vectra AI detects a potential Smash and Grab incident?
Immediately isolate the affected host, verify the nature of the data transfer, and if unauthorized, initiate incident response protocols including forensic analysis.
Can Vectra AI detect Smash and Grab attacks in real-time, and how are alerts prioritized?
Yes, Vectra AI can detect such attacks in real-time. Alerts are prioritized based on threat and certainty scores, ensuring high-risk events receive immediate attention.
How does Vectra AI assist in post-incident investigations of Smash and Grab attacks?
Vectra AI provides detailed logs and analytics, including the source, destination, and volume of data transferred, assisting in forensic analysis and understanding the scope of the breach.
Is user intervention necessary for Vectra AI to detect Smash and Grab activities, or is it automated?
Detection is primarily automated, leveraging Vectra AI’s machine learning algorithms. However, user intervention may be required for deeper investigations and response actions.