Real Intelligence Threat Analytics
There is often a huge disconnect between what attackers are doing and what we as defenders are doing to detect them. There is currently a huge push to develop better and better Indicators of Compromise (IOC) or better threat intelligence.
A newer development in security is Hunt Teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This takes some big assumptions on the part of the defenders. The first assumption is that security automation has failed somewhere. The second assumption is that the existing technologies will not be sufficient to find the bad guys.
But how can a team even begin approaching these issues? It requires a fundamental shift in how we approach detecting attacks.
Traditionally, this requires a set of simple signatures designed to detect evil. However, this can be very hard. For example, one of the tools by Black Hills Information Security is called VSagent. It hides its Command and Control (C2) traffic into __VIEWSTATE parameter which is base64 encoded. Further, it beacons every 30 seconds.
Unfortunately, the ideas of this backdoor can be easily modified to bypass any simple signature you throw at it.
How then, exactly, can we approach malware like this? It requires us to not look at individual TCP streams, but rather look at the communication as it relates to much larger timeframes.
To help with this, we have released Real Intelligence Threat Analysis (RITA). We hope this is the beginning of a new framework for hunt teaming. There are a number of different frameworks for Pentesting like Metasploit, SET, and Recon-ng. The idea of a framework is that it is extensible, and it allows people to continuously add additional modules to it. That is our goal.
The framework ingests Bro/Zeek Logs, and currently supports the following major features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection: Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
Related Blogs and Webcasts