ExtraHop Product Demo: Live Attack Scenario

In this session, Jeff will simulate a Red vs Blue exercise using Reveal(x) from ExtraHop to hunt a threat actor through the attack lifecycle. Based on over 20 years of experience as a coder, architect, and leader of multiple security domain teams, Jeff will showcase the Reveal(x) product by playing through a threat detection scenario using details of real-life exercises and attacks.

During the session, Jeff Costlow took viewers through a meticulously crafted live attack simulation designed by his threat research team. Wearing the metaphorical ‘red hat,’ he simulated a realistic external attack involving reconnaissance and exploitation of a web application server running vulnerable Drupal software. The attacker successfully gained remote code execution access by exploiting CVE-2018-7600 and uploaded a PHP web shell followed by deploying Metasploit’s Meterpreter agent. As the exercise progressed, he used tools such as Nmap for internal network discovery and a brute-force attack to gain access to Windows workstations. This ultimately led to domain privilege escalation with BloodHound and credential compromise via a simulated DC Sync.

Switching to the ‘blue hat,’ Jeff demonstrated how Reveal(x) detects and visualizes these malicious actions in real-time. The product’s capabilities included identifying the Drupal exploit, detecting reconnaissance behavior with its live activity “donut” maps, and alerting on lateral movement and tools like PowerShell and PsExec. Reveal(x) leveraged integrations with ticketing systems like ServiceNow, threat intel feeds to flag adversarial IPs, and provided deep drilldowns into packet captures for forensic purposes. Though not positioned for direct active defense (being out-of-band), the platform supports REST API calls to integrate with SOAR platforms such as Phantom or Demisto for automated mitigation actions. Additionally, Reveal(x) supports importing threat intelligence in formats like STIX and allows flexible deployment and visibility strategies across physical, virtual, and hybrid environments.

Toward the conclusion, Jeff emphasized the educational value of visually mapping out the full attack lifecycle—ending with a beachhead establishment, ransomware installation, coin mining (via XMRig), and data exfiltration. Reveal(x)’s tagging of each event by attack phase enabled security teams to follow the kill chain progression, although he noted they do not directly use the Lockheed Martin kill chain model. Responding to audience questions, Jeff and team highlighted the design priorities around user friendliness, adaptable deployment models across networks including cloud and containers, and support for extensibility through scripting and community bundles. This real-world red-blue simulation effectively illustrated how Reveal(x) can deliver advanced detection, investigation, and forensic capabilities to empower modern security teams.