Threat Hunting Over the Network With Zeek and RITA
Network threat hunting using Zeek and/or RITA actively checks every network connection of every IP on the network. By using outgoing network traffic to identify anomalous, possibly malicious connections based on connection frequency, connection duration, cumulative connection duration, and connections to multiple subdomains over DNS, the network defender can identify C2 channels. This helps prioritize connections for further investigation and incident response.
What is Zeek?
Zeek is a passive, open-source (free) network traffic analyzer. https://docs.zeek.org/en/master/about.html
Zeek can capture network traffic directly and store the information in numerous log file types which are smaller and more manageable than pcap files normally handled by tshark or Wireshark. Also, Zeek can ingest pcap files captured with a packet sniffer like tcpdump or Wireshark and then generate multiple types of Zeek log files. Here is a list of log file types generated by Zeek… https://docs.zeek.org/en/master/script-reference/log-files.html
Zeek is application-aware and includes built-in analysis tools. One caveat to be aware of is that Zeek, by default, only logs connections when the connection closes. So, if you have a very long duration connection that does not close by the time you collect the Zeek logs, you will not be able to identify that connection without customizing your Zeek configuration.
What is RITA?
RITA, another free open-source tool, ingests Zeek logs and does the analysis heavy lifting for you. With a short one-line command, RITA can identify anomalous network connections commonly associated with C2. For example, rita show-beacons <database> will identify repetitive and persistent connections typically of a ‘heartbeat’ connection to a C2 server. Also, C2 over DNS can be identified by looking for high volumes of subdomains for a particular fully qualified domain name (FQDN). One caveat is that RITA may only identify connections that are at least 2 minutes long. So if you are threat hunting using repetitive but short connection duration as the criteria, it is more accurate to use Zeek directly.
RITA can organize the data better than Zeek and can help you identify connection persistency beacons (C2) and long-duration connections at scale. RITA uses a scale of 0 to 1 with 1.0 being a perfect score identifying a beacon. Any rating over 0.80 should be prioritized for further investigation. For example, one may want to add a NTP (Network Time Protocol) beacon which is (usually) completely legitimate and benign to a safe list and write a script to prevent that result from showing up the next time you threat hunt on the same network.
Other helpful open-source tools are Datamash which runs statistical analysis such as average, minimum, maximum, summation etc., and Ngrep which pattern matches on packets in a pcap file (note that ngrep is not used with Zeek log files, only with pcap files). Use -I to read a pcap file, -O to write a file and -q to prevent ngrep from printing a ‘#’ for non-matches.
Network threat hunting, if run regularly on all systems which connect to the network and run without assumptions of whether the connection is in a malicious or benign state, can proactively validate whether systems are secure.
Kudos to Chris Brenton and his team at Active Countermeasures for providing a free 1-day seminar on how to use Zeek and RITA as powerful tools for active network threat hunting.
According to Chris, “One of the biggest mistakes a threat hunter can make is to immediately move the affected system offline.” It is best practice to first identify the scope of the compromise such as checking for lateral movement. Specifically, if a C2 connection is identified, check for any other systems with outbound connections to the same C2 server. I highly recommend taking their Cyber Hunting I course for specifics on how to use Zeek and Rita. More information about their free tools, their commercial offering, and more malware to analyze can be found at www.activecountermeasures.com .
Guest Writers Bio
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
The content in this article was created by someone outside of our organization as a “guest blog” submission. Although we have reviewed the article and found the content to be useful to the community, the opinions/beliefs of the author do not necessarily reflect the opinions/beliefs of Active Countermeasures.