Detecting Nation-State-Level Red Team Attacks

This document is a technical report detailing the detection of a nation-state-level Red Team attack using ArcSight Intelligence in conjunction with CrowdStrike Falcon endpoint detection and response. It outlines how ArcSight Intelligence employs user and entity behavioral analytics (UEBA) to analyze extensive endpoint data, identifying risky behaviors and providing actionable leads for security teams. The report describes the attack lifecycle observed at a major hospitality company, where various attack characteristics were uncovered, including OWA profiling, remote exploits, reconnaissance, lateral movement, and password guessing. Specific tools and methods used by the attackers, such as Mimikatz and Crackmapexec, are documented, along with the anomalies detected during the attack. The report emphasizes the importance of detecting such attacks as a measure of preparedness for real threats and highlights the effectiveness of ArcSight Intelligence in providing high-quality security leads to enhance incident response capabilities.