In this article, you will learn everything you need to know about the DNS Security - VectorN Detection module. This module identifies the endpoints that are most prone to have been infected by malicious scripts or malware. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN Detection as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
1. Description
2. How does VectorN Detection work?
3. HEIMDAL Agent - VectorN Detection
4. VectorN Detection view
5. VectorN Detection settings
DESCRIPTION
In 2017 data-stealing malware or data usage attacks were responsible for more than 55% of the cases where corporations lost valuable information. Approximately 19% of data theft malware is detected by traditional antivirus software. Low detection rates are caused by polymorphism, which means that malware can constantly change behavior and attack methods. The problem of data theft is furthermore increasing because informational theft is no longer happening on the PC itself but is spreading over the entire network. VectorN Detection employs traffic and usage algorithms, rather than rely just on signature and access detection.
HOW DOES VECTORN DETECTION WORK?
The VectorN Detection engine is a feature that searches for patterns within the DarkLayer Guard domain blocks. VectorN Detection detects hidden threats using advanced Machine Learning algorithms, delivering HIPS/HIDS and IOA/IOC capabilities to detect even concealed malware. Patterns are intercepted when a domain is blocked multiple times a day in a very short period of time, when a domain is blocked every day at a specific time, or when multiple domains are blocked in a very short amount of time.
Malware Patterns
• Infostealer strain: detects malicious activity from the same domain at the same time of day over the course of a month;
• APT strain: detects malicious activity from the same domain at the same time of hour over the course of a day;
• Botnet strain: detects malicious activity from any domain at the same time of day over the course of a month;
• Attack blocked: detects malicious activity represented by at least 4 blocked attacks over the course of a minute.
HEIMDAL Agent - VectorN Detection
In HEIMDAL Agent's DNS Security section, you can see the VectorN Detections, the Malware Pattern, and the Probability of Infection.
Pressing the See Details button takes you to the VectorN Detection view where you can see the following details: Probability of infection, the total Number of Detections, the Blocked Malware Pattern, Risk of infection, TTPC, Date, and the Action.
VectorN Detection view
The DNS Security - VectorN Detection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the patterns identified within the DarkLayer Guard domain blocks. On the top, you see a statistic regarding the number of VectorN Detections.
The collected information is placed in the Standard.
-
VectorN Endpoint
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, TTPC, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or suppress it (which means that the detection[s] will be dismissed for 30 days). The Suppress option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After resolving a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer; -
VectorN Network
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, and Last Match. The Suppress option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After resolving a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer;
The Show Dismissed Detections will display the hidden VectorN patterns. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters functionality allows you to filter entries by Operating System.
VectorN Detection settings
The VectorN Detection engine detects patterns within the DarkLayer Guard domain blocks, thus, it requires the DarkLayer Guard - Endpoint module to be enabled. It will identify patterns of malicious domain requests and filter these accordingly.
VectorN Detection - turn ON/OFF the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);