ExtraHop Networks Presents at Security Field Day 2

ExtraHop Company Introduction and Customer Use Cases

Watch on YouTube
Watch on Vimeo

This session starts with a brief overview of ExtraHop. Then, they’ll dive into real-world customer deployments, including Lawrence Livermore National Labs, Wood County Hospital, and more. They’ll cover a range of use cases, from pure cybersecurity to remote site visibility.

ExtraHop began as an application and network analytics company focused principally on performance monitoring, but over time, their platform’s value in cybersecurity became evident to users. By 2015, over half their customers were already using ExtraHop in security contexts, prompting a strategic enhancement of their offerings. In 2018, they launched RevealX, a product purpose-built for security users, which led to rapid customer adoption, skyrocketing revenue, and integration into the workflows of Fortune 500 and G2000 organizations. RevealX enabled seamless performance and threat analysis without deploying agents, capitalizing on network-based visibility to uncover security anomalies and support investigations.

Several compelling customer stories illustrated how ExtraHop is deployed in diverse environments. At Lawrence Livermore National Laboratory, ExtraHop supports both uptime reliability for demanding scientific research systems and the detection of security threats in a highly sensitive environment. Wood County Hospital used ExtraHop’s ransomware detection bundle during a product evaluation and, within a day, identified and mitigated a ransomware incident, even recovering encrypted files through ExtraHop-captured packet data. The Home Depot deployed ExtraHop across 2,200 branch locations to eliminate blind spots in localized application performance and remote transaction troubleshooting. By integrating RevealX with development pipelines and store-level applications, they achieved real-time detection and proactive adjustment of application availability, ensuring a smoother customer experience even at the point of sale.

Another useful deployment scenario involved transparency of outbound network traffic in a major financial services firm. ExtraHop revealed surprising data exfiltration patterns, such as a terabyte of information transferred by a vendor to the U.K. over a weekend, defying the customer’s belief that such transfers did not occur. This example highlighted the lack of egress visibility in many organizations and demonstrated how ExtraHop surfaces traffic patterns previously invisible to security operators. From enhancing performance uptime to providing actionable threat visibility and incident response capabilities, the presentation emphasized ExtraHop’s evolution into a full-spectrum security and analytics platform capable of aligning IT and security functions around shared data and insights.

Personnel: Eric Thomas, Rachel Pepple

Chalk Talk: The ExtraHop Architecture

Watch on YouTube
Watch on Vimeo

The ExtraHop platform was built to deliver visibility, detection, and investigation at massive scale. We consume a copy of unstructured network traffic from across your entire environment – from the data center to the cloud to the remote site – using a tap or port mirror. The ExtraHop stream processor performs line-rate decryption, decoding, and full-stream reassembly for every transaction. The end result is structured wire data that can be analyzed, explored, and fully leveraged for investigation and remediation. It’s our wire data that keeps our machine learning focused, precisely, and uniquely reliable.

In this session at Security Field Day 2, Deputy CISO Jeff Costlow explains the architectural foundation of ExtraHop’s network detection and response (NDR) platform, highlighting how it addresses the challenges of increasing network speed, sprawl, and the prevalence of encrypted traffic. ExtraHop’s design hinges on achieving real-time analytics by processing traffic in motion rather than relying on inefficient store-and-process models seen in traditional PCAP tools. By consuming raw packet data via taps or spans and avoiding reliance on NetFlow, the system extracts high-value metadata across over 4,800 metrics and 60+ L7 protocols, including HTTP and various database protocols. This metadata serves as a rich foundation for both security investigations and performance analytics, enabling operators to detect anomalies and rapidly respond across environments—whether on-premises or in cloud deployments.

A key strength of ExtraHop lies in its streamlined, unified workflow for investigation that integrates metrics, records, and packets under a single interface. It utilizes a custom event-based domain-specific language called Triggers for real-time scripting and flexible protocol support, empowering users to extract and act on specific application-level behaviors. ExtraHop can decrypt TLS traffic, including TLS 1.3 with perfect forward secrecy, through a patented method that forwards ephemeral session keys from servers in a secure, privacy-aware manner. The platform ensures customer privacy using deterministic encryption, selectively anonymizing data before it’s sent to the cloud while preserving utility for machine learning. This architecture not only adheres to privacy-by-design principles aligned with GDPR and HIPAA, but also provides effective machine learning outcomes by leveraging its expansive metric catalog in the cloud without compromising sensitive information.

Personnel: Jeff Costlow

ExtraHop Product Demo: Live Attack Scenario

Watch on YouTube
Watch on Vimeo

In this session, Jeff will simulate a Red vs Blue exercise using Reveal(x) from ExtraHop to hunt a threat actor through the attack lifecycle. Based on over 20 years of experience as a coder, architect, and leader of multiple security domain teams, Jeff will showcase the Reveal(x) product by playing through a threat detection scenario using details of real-life exercises and attacks.

During the session, Jeff Costlow took viewers through a meticulously crafted live attack simulation designed by his threat research team. Wearing the metaphorical ‘red hat,’ he simulated a realistic external attack involving reconnaissance and exploitation of a web application server running vulnerable Drupal software. The attacker successfully gained remote code execution access by exploiting CVE-2018-7600 and uploaded a PHP web shell followed by deploying Metasploit’s Meterpreter agent. As the exercise progressed, he used tools such as Nmap for internal network discovery and a brute-force attack to gain access to Windows workstations. This ultimately led to domain privilege escalation with BloodHound and credential compromise via a simulated DC Sync.

Switching to the ‘blue hat,’ Jeff demonstrated how Reveal(x) detects and visualizes these malicious actions in real-time. The product’s capabilities included identifying the Drupal exploit, detecting reconnaissance behavior with its live activity “donut” maps, and alerting on lateral movement and tools like PowerShell and PsExec. Reveal(x) leveraged integrations with ticketing systems like ServiceNow, threat intel feeds to flag adversarial IPs, and provided deep drilldowns into packet captures for forensic purposes. Though not positioned for direct active defense (being out-of-band), the platform supports REST API calls to integrate with SOAR platforms such as Phantom or Demisto for automated mitigation actions. Additionally, Reveal(x) supports importing threat intelligence in formats like STIX and allows flexible deployment and visibility strategies across physical, virtual, and hybrid environments.

Toward the conclusion, Jeff emphasized the educational value of visually mapping out the full attack lifecycle—ending with a beachhead establishment, ransomware installation, coin mining (via XMRig), and data exfiltration. Reveal(x)’s tagging of each event by attack phase enabled security teams to follow the kill chain progression, although he noted they do not directly use the Lockheed Martin kill chain model. Responding to audience questions, Jeff and team highlighted the design priorities around user friendliness, adaptable deployment models across networks including cloud and containers, and support for extensibility through scripting and community bundles. This real-world red-blue simulation effectively illustrated how Reveal(x) can deliver advanced detection, investigation, and forensic capabilities to empower modern security teams.

Personnel: Jeff Costlow