Vectra Threat Labs™

Cybersecurity research

Vectra Threat Labs operates at the precise intersection of security research and data science. We take unexplained phenomena seen in customer networks and dig deeper to find the underlying reasons for the observed behavior.

Our reports and blogs zero-in on the attacker's goals, place them in the context of the broader campaign the attacker is waging, and provide insights into durable ways in which threats can be detected and mitigated.

Focusing on the underlying goal of an attacker and thinking about the possible methods for achieving it can lead to detection methods that are surprisingly effective for extended periods of time.

And that means your security posture won't be a constant race against time.

To report vulnerabilities about our platform, email us at security@vectranetworks.com.

Research

  • Fighting the ransomware pandemic

    15 May 2017

    A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

  • The election hackers: Some uncovered points

    3 November 2016

    The group known as Fancy Bear, reportedly behind recent attacks against the U.S. Democratic National Committee and U.S. political figures, has been widely discussed. But some interesting details about these attackers have not been covered, and this blog aims to provide more details and fill in some of the blanks.

  • Moonlight: Targeted attacks in the Middle East

    26 October 2016

    Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

  • Triggering MS16-030 via Targeted Fuzzing

    11 October 2016

    The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.

  • Reverse engineering the Shadow Brokers dump: A close look at NOPEN

    12 September 2016

    While digging and reversing my way through the Equation Group dump, I've come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

  • In-depth technical analysis: Own a printer, own a network with point and print drive-by

    12 July 2016

    Printers present an interesting IoT example because they are more powerful than most other IoT devices but are not always considered real computers by most network administrators. This dichotomy is at the forefront of the printer watering-hole vulnerabilities CVE-2016-3238 (MS16-087) and CVE-2016-3239 discovered by Vectra Threat Labs.

  • How to interpret network-based malware detection

    23 May 2016

    This research paper by Vectra CSO Günter Ollmann examines the ecosystem nuances of network-based malware detection and the limits imposed on intelligence extraction of captured malware samples. It also explains the impact on organizations that strive to mitigate malware threats using network-based detection systems.

  • Insights from inside the kill chain

    20 April 2016

    The Spring 2016 Post-Intrusion Report from Vectra reveals that cyber attackers know they're being watched and are responding by blending in with users and hiding in normal network traffic. The report analyzed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016. All organizations showed signs of targeted attacks, including internal reconnaissance, lateral movement or data exfiltration.

  • Turning a webcam into a backdoor

    12 January 2016

    Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.

  • Critical vulnerabilities in Adobe Reader and Internet Explorer

    14 October 2015

    Today, Vectra researchers discovered critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer. The vulnerability in Adobe Reader (CVE-2015-6687) is a use-after-free bug that could lead to arbitrary code execution. An analysis of this and other recently patched Adobe vulnerabilities can be found here. Additionally, researchers found additional critical vulnerabilities (MS15-106 and MS15-108) that allow attackers to bypass Address Space Layout Randomization (ASLR) protections. These vulnerabilities are particularly significant because ASLR protects against memory corruption attacks by making the layout of memory unpredictable. As a result, any vulnerability that bypasses ASLR is highly valuable to attackers.

  • Belkin F9K1111 V1.04.10 firmware analysis

    18 August 2015

    Researchers in the Vectra Threat Labs recently analyzed vulnerabilities in the Belkin F9K1111 wireless repeater. This analysis includes a close inspection of the vulnerabilities, how they could be exploited, as well as fixes from vendor.

  • Zero-day vulnerability discovered in Internet Explorer 11

    14 July 2015

    Researchers in the Vectra Threat Labs recently discovered a high-severity vulnerability in the Internet Explorer 11 web browser. It's an exploitable use-after-free vulnerability that occurs within a custom heap in JSCRIPT9.

  • Post-Intrusion Report

    23 June 2015

    We observed spikes in reconnaissance and lateral movement, changes in command-and-control attack techniques, and a penchant for using hidden tunnels to conceal communication within HTTPS traffic. Check out the cool infographic

  • A technical analysis of Hola

    1 June 2015

    Lab researchers found that user machines that are loaded with the Hola privacy and unblocker application can enable a targeted, human-driven cyber-attack on the network they're connected to.

  • Post-Breach Industry Report

    5 November 2014

    This groundbreaking inaugural report reveals what cyber-attackers do inside your network after they evade perimeter defenses. Ironically, once inside, their actions create opportunities to stop them.

Loading...
LOADING

Analysis of industry threats

  • An analysis of the Shamoon 2 malware attack

    By Greg Linares, Vectra Threat Researcher, 7 February 2017

    During a recent analysis, Vectra came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents. These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network.

  • Shamoon 2: Same or better than the original?

    27 January 2017

    Shamoon 2 is similar what we are seeing with ransomware attacks. For example, sometimes there is no command-and-control (C&C) activity to trigger a detection. That's because it is often disabled when the goal is to destroy, not steal. This enables Shamoon to evade perimeter defenses.

  • Canary in the ransomware mine

    30 March 2016

    The use of ransomware canary file shares - like canary accounts in Active Directory and email -- can be a cheap and effective threat-mitigation approach. Sometimes the simplest methods can be the most effective.

  • Duqu threat actor stars in sequel

    12 June 2015

    Duqu is back with a vengeance. The latest strain, dubbed Duqu 2.0, performs recon, spreads laterally using Kerberos pass-the-hash, and elevates domain admin privileges to deliver MSI packages that infect hosts.

  • Dyre malware

    7 May 2015

    The latest Dyre malware techniques are the tip of the iceberg in an ongoing cat-and-mouse game between malware authors and security researchers. Among other things, it now knows when it's being run in a malware sandbox.

  • Superfish

    4 March 2015

    Adware. Bloatware. Crapware. Whatever you call it, Superfish software vulnerabilities are a sobering reminder that devices can be compromised even before they come out of the box. It's like starting a baseball game from second base.

  • Carbanak advanced persistent threat (APT)

    19 February 2015

    The notorious banking malware infiltrated over 100 financial institutions, where attackers stole upwards of $1 billion. It's a stark reminder of the importance of tracking any and all forms of remote access tunnels in the network.

  • Regin malware

    3 December 2014

    Purpose-built for state-sponsored espionage, highly sophisticated Regin malware has the ability to quietly infect, spread and persist within a targeted network for extended periods of time.

  • Shellshock vulnerability

    29 September 2014

    Predicting when new vulnerabilities will appear and figuring out the creative ways attackers will exploit them might seem like a losing battle. But there are ways you can catch these attackers in the act.

  • Heartbleed vulnerability detection

    22 August 2014

    The Heartbleed brute-force cyber-attack is quite unusual in terms of the network pattern it leaves behind in its wake. The good news is that it can be recognized if you use the right analytics tools.

  • Heartbleed vulnerability on the inside

    1 May 2014

    It's only a matter of time before the world sees more targeted attacks leverage Heartbleed to acquire key account credentials and use those hijacked credentials to get to your crown jewels.

Loading...
LOADING

Data science

  • Election 2016: The bungling of big data

    17 November 2016

    We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

  • Cybersecurity and machine learning: The right features can lead to success

    15 September 2015

    Is the need for lots of data justified? It depends on the problem machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should be associated with the choice of features.

  • Cybersecurity, data science and machine learning

    9 March 2015

    Data models that can distinguish normal benign network traffic from abnormal traffic can be used to build classifiers that provide a binary response -- good and bad -- to the traffic that's being analyzed.

  • Creating cybersecurity that thinks

    9 March 2015

    Malware-infected machines can be identified by observing their abnormal, post-infection behavior. Recognizing this behavior requires identifying what's normal and using rigorous analytical methods to detect anomalies.

  • How to detect insider threats

    10 January 2015

    There's usually not enough information available to determine an insider's intention or psychology in real-time. But many more cues can reveal themselves as the volume of collected behavior data increases.

  • Insider threats to critical infrastructure

    7 December 2014

    Remote access is a primary entry point for attacks due to the poor choice and design of remote access protocols. VPN tunnels and a restricted security zone (DMZ) for connections can minimize risk.

Loading...
LOADING