Intro to RITA v5!
We are psyched to announce the release of version 5 of RITA, our open source threat hunting tool! RITA has been completely rewritten. We literally went back to the drawing board and asked “If we could do it all over again, what would we change?”. In this blog post I would like to walk you through some of the major changes we’ve made to RITA.
Install Process
The install process for RITA is slightly different than what it used to be. You will find it documented in the Quick Start section of the RITA Github page. In short, you:
- Download the install tarball and extract the contents
- Run the install script specifying where RITA and Zeek should be installed
- Select a network interface where Zeek should monitor traffic
You use the arrow keys to navigate between the different network interfaces, the space bar to select the interface(s) you want, and the enter key to save your selection. The install process takes care of everything else!
Docker, Docker Everywhere
In the past, we sometimes had issues where a major OS release would change some of the code we relied on just enough for things to break. This meant we were in a constant cycle of testing and tweaking just to keep things working. With this release of RITA, just about everything runs in a Docker container. This makes the code far more portable, so OS changes should be far less of an issue. We’ve even seen people get RITA running on a number of Linux flavors that are not officially supported.
Running everything in containers has changed some of the workflows. For example, in the past Zeek would get loaded directly on the host system. Since RITAv5 installs Zeek in a Docker container, what you actually interact with is a script we wrote called “zeek” which interconnects with the container running Zeek. Here’s an example of that Zeek script being used to create Zeek logs from a pcap.
Note that normally with Zeek running on the host I would simply run:
zeek -r lab1.pcap
and Zeek would generate its log files assuming everything is in reference to the local directory. With our Zeek wrapper script, the format is slightly different:
zeek readpcap <dir where pcap is located> <dir to store log files>
So there is just a little more typing but you get a bit more flexibility.
Backend Changes
We’ve swapped out the Mongo database for ClickHouse. This has provided a phenomenal increase in data processing speed. In our testing, we are seeing up to a 20X improvement in import and processing speeds.
Each hour RITA hunts the previous 24 hours worth of data for suspect command and control activity. This means that every hour RITA needs to absorb that hour’s worth of data, combine it with the previous 23 hours, and then look for suspicious traffic. Since this happens every hour, the process cannot take longer than an hour to complete or RITA starts falling behind. In the past RITA would max out on saturated Internet links with 5-8 Gbps of traffic. With the above database change, RITA should be able to scale closer to 100 Gbps.
Importing Zeek Logs into RITA
Just like “zeek” is actually a wrapper that interacts with a container running Zeek, RITA itself is configured exactly the same way. Here’s an example of Zeek logs being imported into RITA:
Note that the syntax is:
rita -l <path to Zeek logs> -d <descriptive name for dataset>
If you’ve used RITA in the past, you may notice that the data being reported during import is slightly different. We’ve tried to maintain the same level of debug information.
Once the data is imported, you can “list” what datasets are available:
BubbleTea Anyone?
While RITA still works happily over an SSH session, it has a new graphical interface built on CharmBracelet BubbleTea. Don’t let the name fool you, BubbleTea is sophisticated and feature rich when compared to ncurses and other ASCII graphical libraries folks have used in the past. The new UI also gave us the ability to tie together and streamline multiple workflows.
Improved Workflow
In previous versions of RITA, you needed to run multiple commands in order to see all of the potential command and control traffic. For example, you needed to use “rita show-beacons” to view IP based beacons, but then use “rita show-beacons-sni” to check for command and control through content delivery networks and then “rita show-long-connections” to check for long connection activity. This means you would have to jump around to multiple output streams in order to do a full hunt. With the new version of RITA, everything is listed through a single interface. No more jumping around.
Our goal was to optimize the threat hunt process as much as possible. While many tools try to keep you using it for as long as possible, we actually designed RITA with the opposite in mind. We wanted to expedite the process of showing you the data you need in order to move on to other job responsibilities. So you may find yourself spending less time using RITA but that’s actually “a feature”.
New Features
Speaking of features, we’ve added in some helpful metrics in order to better prioritize your workflow. For example, RITA now checks to see when did any of your internal systems first start talking to the target system. Think of it this way, if one or more of your internal systems have been talking to a target host for 90+ days, you are probably going to realize that there is some sort of business need associated with the connectivity (checking time, checking for patches, etc.). If however, that target system was seen for the first time over the last few hours, that’s probably worth investigating as it’s new connectivity.
Likewise, “Prevalence” looks at how much of your network is communicating with the target. As an example, imagine the target is a Windows patch server or a Network Time Protocol server. You would expect to see a large portion of your network talking to either of these two target systems. The large cohort means the target is probably going to be safe. But what if there is only one or two hosts on the network talking to a target? This makes the connectivity a bit more interesting and worthy of deeper investigation.
It’s worth noting that “First Seen” and “Prevalence” are only used with rolling datasets. The features are disabled if you are reading in pcaps. This is because the pcap is only going to represent a small snapshot in time and it’s uncertain how much of your network traffic is represented in the capture file. So these features are designed to improve accuracy when you are continuously monitoring your network.
If You Want to Learn More
If the new version of RITA sounds interesting, and you would like to learn more, we’ll be doing a Webcast on RITAv5 on July 30th, 2024. During the webcast you’ll be able to download a couple of example datasets and walk through the examples we are discussing.
If you miss the webcast, you can always catch the recording on our YouTube channel.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.