Network Security

NDR vs. Advanced Threats: Part 2

SE Labs tested VMware NSX Network Detection and Response against a range of advanced persistent threats designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

The following is the second of a two-part preview of SE Labs’  report on the exercise, which can be downloaded here. The first installment examined SE Labs’ testing methodology. This installment delves into what researchers learned about attack groups and techniques along the way.

Hackers vs. Targets

The testing SE Labs conducted on VMWare’s NSX Network Detection and Response revealed some interesting insights into different attack groups, who they target and what they’re looking for:

Fin7 and Carbanak, for example, pursues targets in Russia, the U.S. and Germany, focusing on retail, restaurants and hospitality and communicating through the Application Layer Protocol to avoid detection. It uses spear phishing attacks disguised as everything from restaurant orders to customer complaints delivered in Word- and RTF-formatted documents that contain hidden VBS code.

OilRig -- an Iranian APT -- pursues targets in the United Arab Emirates and Saudi Arabia, focusing on financial institutions, conducting government espionage, and seeking to disrupt operations at energy companies. This group uses asymmetric cryptography to conceal its command-and-control traffic. Its techniques include using phishing via email and services such as LinkedIn, sending links to scripts, macros and other malware. It uses public tools to extract data and to establish and maintain connections to victims.

APT3 pursues targets in the U.S. and Hong Kong and is primarily interested in conducting government espionage, using lateral movement that targets Windows admin shares and RDP. APT3 uses a wide variety of initial attack techniques including phishing, web-based exploits, and access via valid accounts. PowerShell and other scripting languages are used to gain further access, including control via Remote Desktop Access.

APT29 has focused intently on U.S. government targets to conduct espionage and exfiltrate data over alternative protocols. It is believed to have been behind the Democratic National Committee hack in 2015, in which it used phishing emails with attached malware or links to malicious scripts.

NSX NDR performance

The test exposed VMware NSX Network Detection and Response to a diverse set
 of exploits, file-less and malware attacks and reconnaissance ‘discovery’ techniques.

"The testers behaved as attackers, pivoting between systems (and generating lateral movement traffic), attempting to use credentials, exfiltrating data and creating command and control data flows,” the report authors wrote.  

Also from the report’s conclusion:

“An attack is made up of multiple stages and we record when a product detects malicious activity, including the initial ‘delivery’ stage of an attack, when a connection is first made and malicious code is sent to the target. We also watch out for code execution; behavior by the attacker after their attempts to gain lower-level access (privilege escalation); and their movement across the network after the first stages of the attack (lateral movement).

“The results are strong and not one attack stage went undetected. Sometimes products are overly aggressive and detect everything, including threats and legitimate objects. In this test VMware NSX Network Detection and Response generated no such false positive results, which is as hoped.”

The final verdict: VMware NSX Network Detection and Response wins a AAA award for its excellent performance.

To learn more about SE Labs, visit its blog:

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.