In order to contain the spread of COVID-19, employees are being asked to work remotely when possible. This sudden and immediate shift of employees who would normally work in an office to a remote location in those organizations that normally are not already fully remote will naturally create a shift in the internal movement of network traffic, which directly impacts the behavioral detections identified from the Cognito platform. Vectra is making the following recommendations for users of the Cognito platform to identify and manage the expected increase in behavioral detections related to certain remote worker conditions.
How Command & Control?
Hidden HTTPS Tunnel – Depending of the amount of noise generated by such detections, writing a rule as narrow as possible, based upon the destination IPs and source IP(s) is suggested.
External Remote Access – Depending of the amount of noise generated by such detections, writing a rule as narrow as possible, based upon the destination IPs and source IP(s) is suggested.
Suspicious Relay – This detection can be triggered when a user uses a jump server or a relay for remote desktop access on a specific host. Vectra recommends an analyst tag the source host as authorized for this action and use a one-time mark as custom, assuming a low volume of noise. If these types of behaviors are prevalent from a system, consider writing a custom filter based upon the destination’s IPs and ports.