RITA
Real Intelligence Threat Analytics
About RITA
Real Intelligence Threat Analytics (R-I-T-A) is an open-source framework for detecting command and control communication through network traffic analysis. The RITA framework ingests Zeek logs in TSV or JSON format, or PCAPs converted to Zeek logs for analysis.
There is often a massive disconnect between what attackers are doing and what we, as defenders, are doing to detect them. There is currently a huge push to develop better and better Indicators of Compromise (IOC) or better threat intelligence.
A newer development in information security is hunt teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This makes some significant assumptions on the part of the defenders. The first assumption is that security automation has failed somewhere. The second assumption is that the existing technologies will not be sufficient to find the bad guys.
But how can a team even begin approaching these issues? It requires a fundamental shift in how we approach detecting attacks.
Traditionally, this requires a set of simple signatures designed to detect evil. However, this can be very hard.
For example, one of Black Hills Information Security’s tools is called VSagent. It hides its Command and Control (C2) traffic into the “__VIEWSTATE” parameter, which is base64 encoded. Further, it beacons every 30 seconds.
Unfortunately, the ideas of this backdoor can be easily modified to bypass any simple signature you throw at it.
How then, exactly, can we approach malware like this? It requires us not to look at individual TCP streams but rather at the communication related to much larger timeframes.
To help with this, we have released Real Intelligence Threat Analytics (RITA). We hope this is the beginning of a new framework for hunt teaming. There are several different frameworks for Pentesting, such as Metasploit, SET, and Recon-ng. The idea of a framework is that it is effective, extensible, and allows people in the InfoSec community to add additional modules to it continuously is our goal.
Primary Features
- Beacon Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection: Identify signs of DNS-based covert channels
- Long Connection Detection: Easily see connections that have communicated for long periods of time
- Threat Intel Feed Checking: Query threat intel feeds to search for suspicious domains and hosts
- Connections Scored by Severity: Critical, High, Medium, Low
- Prevalence: Displays how many of your internal hosts are communicating with a particular external host
- First Seen: Displays when the external host was first seen on the network
Latest Details
Friday, June 28, 2024
We’ve been looking forward to this day for a long time – RITA 5.0.0 is finally out!
RITA has been entirely restructured, with a complete overhaul of its underlying storage system and significant improvements in how it analyzes and displays data. Our developers have crafted an entirely new version of RITA, greatly enhancing its ease of use for effective network Threat Hunting.
What’s New
- RITA now uses a new database called ClickHouse. It uses a storage approach that is significantly different from the previous MongoDB setup and is much better suited for handling the static records generated by a Zeek sensor. The time needed to import an hour’s worth of data should be 2x-10x faster, and possibly even faster than that! This also means that RITA will be able to process data from even more heavily loaded networks than RITA V1 was able to handle.
- Where RITA versions 1-4 were command line tools that generated plaintext lines that you were responsible for parsing, RITA v5.0.0 has a much more usable text-based user interface.
- ClickHouse uses far less memory and processing time to accomplish its work.
- All threat types are displayed in one location, so no more filtering through 10 different RITA commands.
- IP, SNI, open, and DNS connections all appear together in the same results list
- Connections are scored as being in one of 4 threat severity buckets:
- Critical
- High
- Medium
- Low
- Each threat type can tweaked to land in either low, medium or high depending on different threat-specific thresholds
- Threat severity is modified based on new criteria:
- MIME type/URI mismatch
- Rare signature
- Prevalence (percent of internal hosts communicating with the external host)
- First Seen (date the external host was first seen on the network)
- Missing host header (HTTP connections missing a host header value)
- [Threat Intel Only] Large amount of outgoing data
- [C2 Over DNS Only] No direct connections
Pros and Cons of Upgrading
+ RITA will be much faster! This has the lovely side effect that RITA will be able to handle much more data.
+ RITA runs on far more Linux distributions. It has been tested on the most recent releases of:
- Centos Linux
- Rocky Linux
- Ubuntu Linux
+ While they’re not officially supported, you may find that RITA also runs on the most recent versions of ADHD, Alma, Debian, Fedora, Kali, Oracle, and Security Onion Linux distributions.
– This is a beta release. That means that there may still be bugs or things we hadn’t considered (especially in the install, since Linux distributions have lots of differences between them.) Please see below if you find an issue in the install.
– If you use RITA in any scripts (where you directly parse the output), these scripts are not likely to work with RITA v5.0.0 and higher.
Other Considerations
- RITA no longer includes Zeek in its installer. This isn’t really a downside – we still make Zeek available, just as part of a separate project at https://github.com/activecm/docker-zeek/ (see How to Install Zeek below).
- The steps we perform on the new RITA system are documented in a file (an ansible script) named install_rita.yml . You can review this file in advance to see exactly what changes will be made. Also, the ansible-playbook command allows you to run it in a “check” mode that doesn’t actually make any changes; see the top of install_rita.yml for a reference on how to do this.
How to Download and Install It
You’ll want to install it on a system or virtual machine that does not currently have RITA, AC-Hunter, or AC-Hunter CE installed. Because the database is completely new, there’s no way to upgrade prior versions. You’re still welcome to leave the old system up for as long as you need to for data retention, but remember to send your Zeek logs over to RITA and stop sending them to the old system.
The package can be found at https://github.com/activecm/rita/releases . You’ll need to launch the installer from a Linux system, and from there you can push out RITA to any of the above Linux distributions.
In a command prompt (found under the “Terminal” application if you’ve installed a Desktop), run the following to install RITA on this system:
cd wget https://github.com/activecm/rita/releases/download/v5.0.0-beta/rita-v5.0.0-beta.tar.gz tar -xzvf rita-v5.0.0-beta.tar.gz cd rita-v5.0.0-beta-installer ./install_rita.sh localhost
You’ll be asked for your user’s password a few times.
To install it on some other linux system, run the following instead:
cd wget https://github.com/activecm/rita/releases/download/v5.0.0-beta/rita-v5.0.0-beta.tar.gz tar -xzvf rita-v5.0.0-beta.tar.gz cd rita-v5.0.0-beta-installer ./install_rita.sh the_hostname_or_ip_of_the_other_system
Where to Get More Help With Using It
Our Threat Hunter Community discord server ( https://discord.gg/threathunter ) has a #rita channel where you can ask questions, make suggestions, or comment on this new release. Heck, we’d love to hear that you were able to get it going – please mention the specific Linux distribution and version so we can flag that as working.
If you come up with a bug or issue with it, please go to https://github.com/activecm/rita/issues . If your problem is already mentioned in an existing issue and you have more information, please add a comment to the existing issue. If there’s no existing issue, please press “New issue” and follow the steps.
If you feel like working on the code we encourage you to check our contribution guidelines. We’d be honored to work with you on making RITA even better!
What About AC-Hunter?
There’s a whole lot more coming next! Much of the work that went into RITA will be used in upcoming versions of AC-Hunter. Our development team has also been hard at work on the AC-Hunter User Interface for many months and it’s beginning to take shape. We’ll keep you posted as that gets close!
How to Install Zeek
Zeek used to be installed automatically when installing RITA – it’s now part of the “docker-zeek” package. To use that to install Zeek, run the following commands on the target Linux system after installing RITA. Note that the “sudo wget…” command wraps onto two lines below, but it needs to be one typed line with a space just before “https”:
sudo wget -O /usr/local/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek sudo chmod +x /usr/local/bin/zeek zeek start
We encourage you to install docker-zeek on a physical system (see https://www.activecountermeasures.com/is-it-ok-to-capture-packets-in-a-virtual-machine/ for why), but RITA can be installed on a physical or virtual machine.
Finally, a Tip of the Hat…
…to our developers. They’ve done an amazing job taking our original Threat Hunting tool into a new generation – one that runs visibly faster with a much clearer and more straightforward user experience. We appreciate all the work they’ve put into it.
Download RITA
Additional Resources
Blog Posts:
RITA Video Series:
Webcasts:
If you get value from using RITA and would like to go a step further with threat hunting automation, futuristic visualizations, data enrichment, and extended features, take a look at AC-Hunter.