Adapting Your Defenses to the Attack – The Next Generation of Endpoint Protection (IBM and Cb)
Threat Analysis Unit Network Security

What We Know: Threat Intelligence for GRU-backed Cyber Attacks

This article was written by Ant Ducker, Chad Skipper, and Frederick Verduyckt.

It is anticipated that at least some upcoming cyber-attacks will be launched through some of the GRU-backed Advanced Persistent Threat Actors (APT’s).

A good deal of threat intelligence is already available, in the below two examples we reference the MITRE tracking of APT28 (Fancy Bear) and SANDWORM (BlackEnergy/ELECTRUM)

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

NSX Distributed Firewall Network Detection and Response can provide excellent detection and mitigation capabilities, such as segmentation/micro-segmentation, signature, and behavioral-based IDS/IPS, Network Sandboxing, Network Traffic Analysis, and Network Event Correlation. These capabilities help optimize the time Cyber Defense teams need for the detection and mitigating of advanced threats.

What we do not know: Anticipated Zero Day / Supply Chain Attacks

It should be anticipated that significant planning and preparation have already been made. To this end, we should be prepared to react to emerging zero-day and supply chain attacks in the coming weeks. To minimize the impact, we should be extra vigilant in identifying post-exploitation network anomalies, both laterally ( and ingress/egress of our network. In addition, we should pay close attention to data ingress to our network; we might not be able to mitigate initial access/exploitation from unknown zero-day/supply chain attacks, but we should be prepared to detect and mitigate incoming post exploit tools and activities.

Capabilities such as Network Traffic Analysis, Network Sandboxing, and Network Event Correlation, support Cyber Defense teams, even when they are in a reactive state.

VMware’s approach to zero trust network security

Protecting the organization calls for securing east-west network traffic. With the rapid increase in clever, innovative attacks by agile adversaries, even the strongest perimeter defenses can be breached, allowing attackers to gain access to the data center and wider multi-cloud environment. Once inside, they can carry out reconnaissance, elevate privileges, move laterally and potentially access, ransom or exfiltrate highly sensitive data. Securing east-west traffic is the only way to protect against such attacks. While securing east-west traffic has been something of an elusive goal in the past, due to the cost and effort, the problem of enterprise security has only gotten worse as organizations move to more cloud-based applications and hybrid environments. But today the outlook is very different. Thanks to VMware’s ATP package for the NSX Distributed Firewall, organizations can ensure constant vigilance over east-west traffic and finally enjoy comprehensive protection against malicious acts.

Signature Based IDS/IPS (Intrusion Detection and Prevention Systems)

Network and security operators refer to these patterns as signatures and operate on network flows ingress/egress (North-South) and laterally (East-West) of our multi-cloud environment.

Behavioral IDS/IPS (Intrusion Detection and Prevention Systems)

Behavior-based IDS/IPS, however, does not use already known signatures to protect your network. Behavior-based IDS/IPS monitors all the traffic that flows ingress/egress (North-South) and laterally (East-West) of our multi-cloud environment and is designed to detect behavior that is atypical or deviant.

Object Extraction & Analysis

The patented NSX Sandbox deconstructs every behavior engineered into a file or URL to determine if it is malicious. NSX Sandbox sees all instructions that a program executes, all memory content and all operating system activity.

VMware Threat Analysis Unit

VMware’s TAU is focused on the next wave of attacks. Our job is to keep you safe by analyzing the ever-evolving tactics, techniques, and procedures (TTPs) of sophisticated actors and understanding how to prevent and detect their attacks. At our disposal are real-time big data, event streaming processing, static and dynamic behavioral analytics, and machine learning.

VMware NSX Intelligence 

NSX Intelligence automatically recommends firewall security policies based on the observed traffic patterns between applications, radically simplifying the process of operationalizing micro-segmentation and internal firewalling. NSX Intelligence continuously monitors every traffic flow and allows operators to overlay the policy against the flows, enabling them to easily demonstrate and maintain security policy compliance.


Network Detection and Response (NDR) is an AI-based threat correlation and forensics engine within the NSX Distributed Firewall that helps network security and SOC teams efficiently detect malicious activity and block lateral movement of sophisticated threats.

NSX NDR is informed by the broadest set of threat signals from network sensors distributed across network infrastructure and automatically correlates them into threat campaigns mapped to the MITRE ATT&CK Framework.


Network Detection and Response (NDR) provides intelligence-based mapping to MITRE ATT&CK for malicious and anomalous network encounters. This helps enable our automated correlation engine to identify behaviors which may be associated with known APT activity. It also enables us to identify activates which are security relevant but may not be directly associated with known ATP activity.

You too can take advantage of the authoritative context and high-fidelity prevention of advanced threats as part of VMware’s Zero Trust Architecture. VMwareNSX NDR offers a unique opportunity to deploy a comprehensive security solution that provides the visibility and fine-grained enforcement necessary to address advanced and persistent threats.