www.extrahop.com
Open in
urlscan Pro
44.228.179.34
Public Scan
Submitted URL: https://app.wiredata.extrahop.com/e/er?utm_campaign=2023-nurture-crowdstrike-customer-touch-1-0523&utm_medium=email&utm_source=Elo...
Effective URL: https://www.extrahop.com/company/blog/2020/better-mitre-coverage-using-ndr-and-edr/?utm_campaign=2023-nurture-crowdstrike...
Submission: On June 18 via manual from QA — Scanned from CA
Effective URL: https://www.extrahop.com/company/blog/2020/better-mitre-coverage-using-ndr-and-edr/?utm_campaign=2023-nurture-crowdstrike...
Submission: On June 18 via manual from QA — Scanned from CA
Form analysis 2 forms found in the DOM
Name: untitledForm-1367515949663 — POST https://s1701.t.eloqua.com/e/f2
<form method="POST" id="form107" name="untitledForm-1367515949663" role="form" action="https://s1701.t.eloqua.com/e/f2" class="reset-disabled" data-parsley-validate="" data-parsley-trigger="focusout" data-onload="extrahop.undisableForm"
novalidate="">
<input type="hidden" name="elqFormName" value="untitledForm-1367515949663">
<input type="hidden" name="elqSiteId" value="1701">
<input type="hidden" name="elqCampaignId">
<input type="hidden" name="campaignId" value="70180000001EqjnAAC">
<input type="hidden" name="elqCustomerGUID">
<input type="hidden" name="elqCookieWrite" value="0">
<input type="hidden" name="GA_Medium" value="">
<input type="hidden" name="GA_Source" value="">
<input type="hidden" name="GA_Campaign" value="">
<input type="hidden" name="GA_Content" value="">
<input type="hidden" name="GA_Term" value="">
<input type="hidden" name="GA_Product" value="">
<input type="hidden" name="GA_Region" value="">
<input type="hidden" name="GA_Funnelstage" value="">
<input type="hidden" name="GA_Version" value="">
<input type="hidden" name="gclid" value="">
<input type="hidden" name="FormURL" value="">
<input type="hidden" name="uniqueid" value="">
<input type="hidden" name="GA_Adgroup" value="">
<input type="hidden" name="redirectUrl" value="https://www.extrahop.com/company/newsletter-signup-success/" data-sync-host="www">
<div class="inline-input">
<div class="form-group email">
<input id="email" class="form-control garlic-auto-save" name="email" type="email" required="" placeholder="Email Address">
</div>
<div class="form-group">
<input type="submit" class="btn btn-basic btn-green" value="Subscribe" data-track-newsletter-subscribe="">
</div>
</div>
</form><form>
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
* The Platform
EXTRAHOP
REVEAL(X) 360
CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
FOR THE HYBRID ENTERPRISE.
Learn More
Explore Reveal(x)
How It Works
Why Decryption Matters
Integrations and Automations
Cybersecurity Services
AWS Cloud Security
What is Network Detection & Response (NDR)?
Reveal(x) Enterprise: Self-Managed NDR
TRY IT FOR FREE
REVEAL(X) 360
LIGHT UP YOUR AWS
ENVIRONMENT.
No friction.
No credit card required.
Start Free Trial
* Solutions
--------------------------------------------------------------------------------
SOLUTIONS
With the power of machine learning, gain the insight you need to solve
pressing challenges.
FOR SECURITY
Stand up to threats with real-time detection and fast response.
Learn More >
FOR CLOUD
Gain complete visibility for cloud, multi-cloud, or hybrid environments.
Learn More >
FOR IT OPS
Share information, boost collaboration without sacrificing security.
Learn More >
BY INITIATIVE
* ExtraHop IDS
* XDR
* Advanced Threats
* Ransomware Mitigation
* Multicloud & Hybrid Cloud Security
* Implement Zero Trust
BY VERTICAL
* Financial Services
* Healthcare
* e-Commerce and Retail
* Education
* U.S. Public Sector
THREAT BRIEFING
GENERATIVE AI TOOLS
Detect data leaks from employee use of ChatGPT in Reveal(x)
Watch a Demo
* Customers
--------------------------------------------------------------------------------
CUSTOMERS
Our customers stop cybercriminals in their tracks while streamlining
workflows. Learn how or get support.
COMMUNITY
* Customer Portal Login
* Bundle Gallery
* Community Forums
* Customer Stories
SERVICES
* Services Overview
* Reveal(x) Advisor
* Incident Response
* Deployment
TRAINING
* Training Overview
* Training Sessions
SUPPORT
* Support Overview
* Documentation
* Appliance Policies
* Knowledge Base
Featured Customer Story
SEATTLE CHILDREN'S HOSPITAL
Seattle Children's and ExtraHop Reveal(x)—Protecting More Than Data
Read More
See All Customer Stories >
* Partners
--------------------------------------------------------------------------------
PARTNERS
Our partners help extend the upper hand to more teams, across more platforms.
CHANNEL PARTNERS
* Channel Overview
* Managed Services Providers
* Shields Up Solution Brief
INTEGRATION PARTNERS
* CrowdStrike
* Splunk
* Amazon Web Services
* Google Cloud Security
* All Technology Partners
PANORAMA PROGRAM
* Partner Program Information
* Partner Portal Login
* Become a Partner
Featured Integration Partner
CROWDSTRIKE
* Detect network attacks. * Correlate threat intelligence and forensics. *
Auto-contain impacted endpoints. * Inventory unmanaged devices and IoT.
Read More
See All Integration Partners >
* Blog
* More
* About Us
* Newsroom
* Events
* Careers
* Resources
* About Us
* What Is Cloud-Native?
* Leadership
* Board of Directors
* Contact Us
* Explore the Interactive Online Demo
* Sign Up for a Live Attack Simulation
* Upcoming Webinars and Events
* Newsroom
* ExtraHop Media Kit and Brand Guidelines
HUNTER CHALLENGE
Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
style event.
Read More
* Explore the Interactive Online Demo
* Sign Up for a Live Attack Simulation
* Upcoming Webinars and Events
* Newsroom
* ExtraHop Media Kit and Brand Guidelines
HUNTER CHALLENGE
Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
style event.
Read More
* Careers at ExtraHop
* Search Openings
* Connect on LinkedIn
* All Resources
* Customer Stories
* Shields Up Resources
* Ransomware Attacks in 2021: A Retrospective
* White Papers
* Datasheets
* Industry Reports
* Webinars
* Cyberattack Glossary
* Network Protocols Glossary
* Documentation
* Firmware
* Training Videos
Login
Logout
Start Demo
THE PLATFORM
SOLUTIONS
CUSTOMERS
PARTNERS
BLOG
MORE
START THE DEMO
CONTACT US
Back
EXTRAHOP
REVEAL(X) 360
Cloud-native visibility, detection, and response
for the hybrid enterprise.
Learn More
HOW IT WORKS
WHY DECRYPTION MATTERS
INTEGRATIONS AND AUTOMATIONS
CYBERSECURITY SERVICES
AWS CLOUD SECURITY
WHAT IS NETWORK DETECTION & RESPONSE (NDR)?
REVEAL(X) ENTERPRISE: SELF-MANAGED NDR
Back
SOLUTIONS
Learn More
SECURITY
CLOUD
IT OPS
USE CASES
EXPLORE BY INDUSTRY VERTICAL
Back
CUSTOMERS
Customer resources, training,
case studies, and more.
Learn More
CUSTOMER PORTAL LOGIN
CYBERSECURITY SERVICES
TRAINING
EXTRAHOP SUPPORT
Back
PARTNERS
Partner resources and information about our channel and technology partners.
Learn More
CHANNEL PARTNERS
INTEGRATIONS AND AUTOMATIONS
PARTNERS
Back
BLOG
Learn More
Back
ABOUT US
NEWSROOM
EVENTS
CAREERS
RESOURCES
Back
ABOUT US
See what sets ExtraHop apart, from our innovative approach to our corporate
culture.
Learn More
WHAT IS CLOUD-NATIVE?
CONTACT US
Back
NEWSROOM
Get the latest news and information.
Learn More
SIGN UP FOR A LIVE ATTACK SIMULATION
UPCOMING WEBINARS AND EVENTS
Back
EVENTS
Upcoming events and conferences.
Learn More
SIGN UP FOR A LIVE ATTACK SIMULATION
UPCOMING WEBINARS AND EVENTS
Back
CAREERS
We believe in what we're doing. Are you ready to join us?
Learn More
CAREERS AT EXTRAHOP
SEARCH OPENINGS
CONNECT ON LINKEDIN
Back
RESOURCES
Find white papers, reports, datasheets, and more by exploring our full resource
archive.
All Resources
CUSTOMER STORIES
SHIELDS UP RESOURCES
RANSOMWARE ATTACKS IN 2021: A RETROSPECTIVE
CYBERATTACK GLOSSARY
NETWORK PROTOCOLS GLOSSARY
DOCUMENTATION
FIRMWARE
TRAINING VIDEOS
BLOG
INTEGRATE EDR AND NDR FOR COMPREHENSIVE MITRE ATT&CK COVERAGE
NETWORK TTPS ARE CRITICAL FOR POST-COMPROMISE, PRE-BREACH DETECTION & RESPONSE
Chase Snyder
July 28, 2022
The MITRE ATT&CK framework has rapidly become the go-to lens through which
security operations teams view their ability to detect attacker tactics,
techniques, and procedures (TTPs). The ATT&CK framework comprises 191
techniques, and 385 sub techniques (and counting) across fourteen tactic
categories—starting with reconnaissance and proceeding through initial
compromise, maintaining persistence, defense evasion, and finally
impact—spanning the course of a full cyberattack campaign.
When enterprise SecOps teams use MITRE ATT&CK to understand the behavior they
observe in their own environment, they gain a clearer view of which attack
tactics they're able to detect and which might fly under the radar or evade
their defenses and eventually lead to a breach. Understanding these gaps in
their defenses makes it easier to decide where to invest security budgets, and
how to update policies and procedures to assure strong, effective defenses.
Currently, the MITRE ATT&CK framework is heavily weighted towards
endpoint-centric attack tactics. Detection and investigation of a large
percentage of the TTPs cataloged in the framework require visibility into files
and processes on individual endpoints. Endpoint detection and response (EDR) is
an area of heavy investment for security teams, and it makes sense that they
want industry standards and frameworks to both scrutinize and validate the
effectiveness of their programs. However, many crucial TTPs, especially in the
later stages of an attack campaign, are easier to detect on the network.
Automatically analyzing and correlating both data sources makes it easier for
analysts to make fast, informed decisions and respond precisely to urgent
threats.
Learn How Integrated EDR and NDR Stop Breaches Faster
NETWORK-CENTRIC TTPS CAN MAKE THE DIFFERENCE BETWEEN A COMPROMISE AND A DATA
BREACH
When an attacker has compromised your network and begins to move laterally,
hopping from endpoint to endpoint, you need to move quickly to prevent them from
maintaining a foothold, staging, and eventually exfiltrating critical data in a
way that represents a potentially irreversible data breach. Many enterprises
have less visibility into internal lateral movement than they do ingress and
egress. Attackers that get past the perimeter have an easier time staying
stealthy and meeting high-impact attack objectives.
DEFENSE EVASION
If an attacker is inside the environment, that means they've likely already
circumvented some defenses. A few common ways to do this would be:
* Assessing which endpoints are monitored by agents or antivirus, and avoiding
them
* Deleting or altering activity logs to mask suspicious behavior
* Hijacking or injecting attack behavior into unmonitored processes to evade
endpoint security
* Stealing valid credentials and using them for unauthorized purposes
Many times, endpoint security, next-gen antivirus, or firewalls will catch these
tactics if they affect perimeter-based or internet-facing devices. But attackers
know it only has to work once for them to get the toehold they need, so they
keep trying and keep developing new tactics for bypassing these security
mechanisms. Software supply chain attacks, such as the SolarWinds SUNBURST
attack, or the abuse of a vulnerability in the Kaseya VSA management software,
are an increasingly popular method to evade perimeter security altogether.
In all of these cases, the attacker buys themself time to expand their footprint
in the target environment. Security teams that have the ability to detect what
happens after these behaviors are in a much better position to reduce dwell time
(the amount of time the attacker has before being detected) to achieve their
goals of stealing or destroying data, or distributing and detonating ransomware.
This is where network detection and response (NDR) comes in.
THE ASYMMETRIC BATTLE AND HOW COVERT DEFENSES CAN HELP
Why are attackers able to circumvent established security mechanisms so
effectively, and what can a savvy security team do next? There are two issues
that security teams should be aware of:
One is the asymmetry inherent in the relationship between attackers and
defenders. An attacker only has to get past the perimeter once to make their job
much, much easier. Few, if any, companies have the same level of security
visibility inside their environment as they do at the edge—although that's
changing.
The second is that perimeter and endpoint security mechanisms are visible to the
attacker. A quick scan of a compromised laptop can reveal whether or not that
laptop has an endpoint protection agent on it, and whether its activity is being
logged. If an attacker knows which defenses lie in wait for them, they can plan
ahead and disable those defenses, or just target unmanaged and unsecured devices
exclusively.
Network detection and response addresses both of these challenges. Because NDR
platforms observe all communications across the inside of a network, in the
east-west corridor, they are able to detect unusual lateral movement, suspicious
behavior by users, and new, unauthorized devices as soon as they connect.
Because NDR platforms ingest data passively, an attacker has no way of knowing
whether their behavior is being watched, nor any mechanism for altering the
configuration of the observation. They may attempt to evade detection by
encrypting their traffic, but that traffic can be decrypted for analysis, or
simply blocked if unauthorized, out-of-policy encryption schemes are detected.
These characteristics make NDR a fantastic mechanism for detecting and
investigating the kinds of behaviors that attackers do after they bypass
perimeter-focused defenses.
Webinar: How XDR Gets Real: Stop Advanced Threats with ExtraHop and Crowdstrike
WHAT MAKES SOME MITRE ATT&CK TTPS NETWORK-CENTRIC?
Each MITRE ATT&CK tactic listing includes a list of data sources that are useful
for determining the best way to detect and investigate that particular tactic.
Looking for TTPs that list network traffic content, network traffic flow, or
network connection creation is a good way to identify which TTPs are better to
detect and investigate using network traffic. Examples include:
* Remote Access Tools (T1219)
* Remote File Copy (T1105)
* DCShadow (T1207)
* And dozens more
While network-centric TTPs appear in all 12 of the main Technique Categories in
the MITRE ATT&CK Framework, they are more heavily concentrated in certain
categories, including:
* Lateral Movement
* Credential Access
* Command & Control
* Data Exfiltration
The reason for this is, once an attacker has compromised an environment, they
have likely already evaded other safeguards in place to prevent them from doing
so. At this point, the attacker still has a long way to go before completing
their objective. Well-equipped defenders can still stop the breach, as long as
they have the right tools!
Because network detection and response consumes data passively and is not
visible to the attacker, they cannot evade or disable it in the same way.
Security teams can rely on NDR as a covert line of defense that will continue to
be effective even when an attacker believes that they're in the clear.
EDR and activity logging from a SIEM solution are both vital tools for any
security operations team. Both can catch many of the TTPs attackers attempt in
the early stages of an attack campaign or behaviors that manifest on-host
without generating network activity. This includes common malware behaviors such
as process spawning, directory traversal, and on-host privilege escalation. For
the latter stages of an attack, NDR is the best approach to ensure that a
compromise doesn't progress into a full-on data breach. Using an integrated set
of best-of-breed NDR, EDR, and SIEM solutions is the best approach to having the
complete data set needed for thorough detection and response.
White Paper Download: NDR for the MITRE ATT&CK Framework
* Posted in Cybersecurity, Reveal(x), Security Frameworks, NDR
* See other posts by Chase Snyder
STOP BREACHES 87% FASTER
Investigate a live attack in the full product demo of ExtraHop Reveal(x),
network detection and response, to see how it accelerates workflows.
Start Demo
RELATED BLOGS
5.19.20
ANNOUNCING REVEAL(X) 360
See how SaaS-based network detection and response (NDR) eliminates cloud
security friction and delivers immediate value with a low management burden,
360-degree visibility, and situational intelligence at scale.
Sri Sundaralingam
6.17.20
EXTRAHOP NAMED A REPRESENTATIVE VENDOR IN THE 2020 GARTNER MARKET GUIDE FOR NDR
Get the top takeaways from the 2020 Gartner Market Guide for Network Detection
and Response and see ExtraHop as a Representative Vendor.
Sri Sundaralingam
SIGN UP TO STAY INFORMED
Javascript is required to submit this form
+
ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More
Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States
EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom
APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190
PLATFORM
* Reveal(x) 360
* How It Works
* Why Decryption Matters
* Integrations and Automations
* Cybersecurity Services
* AWS Cloud Security
* What is Network Detection & Response (NDR)?
* Reveal(x) Enterprise: Self-Managed NDR
SOLUTIONS
* Security
* Cloud
* IT Ops
* Use Cases
* Industries
CUSTOMERS
* Customer Portal Login
* Services Overview
* Training Overview
* Support Overview
PARTNERS
* Channel Overview
* Technology Integration Partners
* Partner Program Information
BLOG
MORE
* About Us
* Contact Us
* Newsroom
* Events
* Careers
* Resources
* Copyright ExtraHop Networks 2023
* Terms of Use
* Privacy Policy
* Facebook
* Twitter
* LinkedIn
* Instagram
* YouTube
Close
suggested results