RITA on Security Weekly with John Strand
Webcast: RITA with John 022717
There is often a huge disconnect between what attackers are doing and what we as defenders are doing to detect them. There is currently a huge push to develop better and better Indicators of Compromise (IOC) or better threat intelligence.
If we sit back and think about these advancements in security, it becomes clear that we are still in the process of trying to build better and bigger blacklists. We are simply stuck believing we can somehow define evil away by building systems to find and neutralize it.
This will not work.
We continue to look for the easy button. We continue to seek out automation of our security infrastructure.
This will not work.
The reason these things will not work is because our defenses are static and accessible to all. All it takes is an adversary acquiring these technologies and figuring out how to bypass them before they sling a single packet at your network. This is one of the key reasons we worked so hard to develop better Active Defense approaches, but that will only go so far.
A newer development in security is Hunt Teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This takes some big assumptions on the part of the defenders. The fist assumption is that security automation has failed somewhere. The second assumption is that the existing technologies will not be sufficient to find the bad guys.
But how can a team even begin approaching these issues? It requires a fundamental shift in how we approach detecting attacks.
Traditionally, this requires a set of simple signatures designed to detect evil. However, this can be very hard. For example, one of the tools by BHIS is called VSagent. It hides its Command and Control (C2) traffic into __VIEWSTATE parameter which is base64 encoded. Further, it beacons every 30 seconds.
Unfortunately, the ideas of this backdoor can be easily modified to bypass any simple signature you throw at it.
How then, exactly, can we approach malware like this? It requires us to not look at individual TCP streams, but rather look at the communication as it relates to much larger timeframes.
To help with this, we have released Real Intelligence Threat Analysis (RITA). We hope this is the beginning of a new framework for hunt teaming. There are a number of different frameworks for Pentesting like Metasploit, SET and Recon-ng. The idea of a framework is that it is extensible, and it allows people to continuously add additional modules to it. That is our goal.
Get it, it’s free.
John Strand is the owner of Black Hills Information Security and the co-founder of Active Countermeasures.