This open source project, born from Black Hills Information Security, is now developed, funded and supported by Active Countermeasures.
The framework ingests Bro/Zeek Logs, and currently supports the following major features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection: Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
RITA on Security Weekly with John Strand
John Strand does a tech segment on Real Intelligence Threat Analytics (RITA), how it works, how you can get it up and running, how easy it is to get started, and what you can actually get out of the tool:
RITA – Finding Bad Things on your Network with John Strand
There is often a huge disconnect between what attackers are doing and what we as defenders are doing to detect them. There is currently a huge push to develop better and better Indicators of Compromise (IOC) or better threat intelligence.
If we sit back and think about these advancements in security, it becomes clear that we are still in the process of trying to build better and bigger blacklists. We are simply stuck believing we can somehow define evil away by building systems to find and neutralize it.
This will not work.
We continue to look for the easy button. We continue to seek out automation of our security infrastructure.
This will not work.
The reason these things will not work is that our defenses are static and accessible to all. All it takes is an adversary acquiring these technologies and figuring out how to bypass them before they sling a single packet at your network. This is one of the key reasons we worked so hard to develop better Active Defense approaches, but that will only go so far.
A newer development in security is Hunt Teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This takes some big assumptions on the part of the defenders. The first assumption is that security automation has failed somewhere. The second assumption is that the existing technologies will not be sufficient to find the bad guys.
But how can a team even begin approaching these issues? It requires a fundamental shift in how we approach detecting attacks.
Traditionally, this requires a set of simple signatures designed to detect evil. However, this can be very hard. For example, one of the tools by Black Hills Information Security is called VSagent. It hides its Command and Control (C2) traffic into __VIEWSTATE parameter which is base64 encoded. Further, it beacons every 30 seconds.
Unfortunately, the ideas of this backdoor can be easily modified to bypass any simple signature you throw at it.
How then, exactly, can we approach malware like this? It requires us to not look at individual TCP streams, but rather look at the communication as it relates to much larger timeframes.
To help with this, we have released Real Intelligence Threat Analysis (RITA). We hope this is the beginning of a new framework for hunt teaming. There are a number of different frameworks for Pentesting like Metasploit, SET, and Recon-ng. The idea of a framework is that it is extensible, and it allows people to continuously add additional modules to it. That is our goal.
- John Strand is the owner of Black Hills Information Security and the co-founder of Active Countermeasures.