ExtraHop Demo

This Demo, “Network Detection & Response,” provides a brief overview of the Reveal(x)
network’s detection and response and enables security analysts to investigate and respond to
attacker tactics, techniques, and procedures from the MITRE ATT&CK framework. The
screenshot below shows the dashboard.


The security overview page offers various views into the detections currently in the environment.
There are detections by security category, device role, detection type, etc.
Under the detection tab, there is a slightly more detailed view of these detections, as shown in the
screenshot below.


Poking around the list of detections on the left side, we can see they are sorted by risk score. If we
sort that by techniques (which is the next tab called MITRE MAP), we will get an MITRE
ATT&CK visual matrix showing a subset of the MITRE ATT&CK TTP, and those highlighted and
teal have been detected in the environment, as shown in the screenshot below.


From the view above, as a header, some categories have gotten detections, and the number of
detections that fall into a particular TTP is labeled in each square.
To investigate one of these, we need to click on it. For instance, in exfiltration over the C2 channel,
there is a link to provide more insight into what this TTP is and the 25 detections that are related
to this TTP, as shown in the next screenshots.

Clicking on one of the detections will provide more details about this data exfiltration detection,
victim-offender, and even a button to investigate this further.
This last screenshot contains some of that information, as well as related detection timelines
showing what happened before and after. Additionally, some further information, such as some IP
addresses, might warrant investigation.


ExtraHop provides a range of real-time analytics capabilities that are crucial for identifying
network performance issues and security risks. Automation plays a critical role in improving
response time and effectively mitigating threats in cybersecurity incident response teams (CSIRT)
or security operations centers (SOC). For instance, ExtraHop’s continuous network traffic
monitoring feature enables CSIRTs or SOCs to stay vigilant and agile when responding to any
activity. This capability is essential for organizations where even the slightest delay can result in
losses.


On the other hand, the MITRE ATT&CK framework offers attack vectors and techniques that
adversaries might employ. By combining ExtraHop capabilities with this framework,
organizations cannot reactively address. Also, proactively anticipate and prepare for future threats.
This proactive approach involves mapping observed network behaviors and anomalies to the
tactics and techniques outlined in the ATT&CK framework, allowing analysts to understand the
attack’s nature and associated risks. Additionally, ExtraHop can be configured to utilize analytics
for flagging activities that align with known attack techniques. This initial identification process
automates the step, allowing human analysts to focus on in-depth analysis that goes beyond
flagging potential issues.


Human analysts often face the challenge of dealing with the volume of data they need to sift
through. ExtraHop effectively addresses this challenge by filtering out information and focusing
solely on activities that could be potentially harmful. This allows analysts to prioritize and focus
on the issues, significantly reducing the time required to identify and mitigate threats. Additionally,
ExtraHop capabilities include ranking threats based on their severity and their alignment with
known attack methods such as MITRE ATT&CK. This prioritization is invaluable in helping
analysts determine where their attention should be focused. When it comes to analyzing breaches
after they occur, ExtraHop also excels at reconstructing timelines. By generating an automated
timeline of network events, it becomes much easier for analysts to piece together the sequence of
activities that led to the breach. Finally, one of the advantages of a tool like ExtraHop is its ability
to provide 24/7 monitoring. While human analysts cannot work around the clock, ExtraHop
ensures that the network is continuously monitored and only significant events are flagged for
review.


In summary, ExtraHop not only automates fundamental tasks in network monitoring but also
dramatically empowers human analysts within a CSIRT. It allows them to concentrate on analyses
that necessitate their expertise, ultimately improving the efficiency and effectiveness of the
response team.

Scroll to Top