Threat Hunting – Simplifying The Beacon Analysis Process
In part one of this two-part series, I described what is involved with performing a beacon analysis and why it is so important in catching the bad guys. In part two, I want to show you some open source and commercial tools that you can use to simplify the process of performing a network beacon analysis.
Beacon Analysis – Recap
In part one I described the process for performing a beacon analysis during a threat hunt. Just to recap, those steps are:
- Capture all traffic flowing through a choke point to the Internet. The best choice is usually the internal interface of your firewall.
- Capture and store enough traffic to record multiple instances of beacon activity. At a minimum, this is 12 hours of traffic. 24 hours is more ideal.
- Whitelist out any traffic that may contain beacons that you know are safe. For example, any UDP/123 traffic going to known NTP servers.
- Segregate the traffic into IP address pair combinations. For example, all traffic between 192.168.1.100 and 18.104.22.168 should go in one file, while all traffic between 192.168.1.100 and 22.214.171.124 should go in another. Note that we are not breaking out unique sessions. Each file needs to contain all traffic that was exchanged between the two identified IP addresses over the full-time interval of the capture.
- Identify the time delta between the first packet in each session established between these two systems. Organize these by transport and target port that was used.
- Identify the amount of data transferred in each session. Organize these by transport and target port that was used.
- Review the data for any obvious patterns.
While these steps are a challenge, we discussed that performing a beacon analysis is the only way to consistently identify malware calling home. However, there are tools that are designed to automate the above steps so that you can jump right into identifying which beacons may, in fact, be malicious.
Threat Hunting Beacons with RITA
Real Intelligence Threat Analytics, or RITA for short, is an open source tool that helps you identify compromised systems on your network calling home to C&C servers. It is designed to process Bro logs while running on Linux. It will even install Bro for you if it is not yet on the system. Once RITA collects 24-hours of Bro logs, it performs its analysis. You can read more about RITA here, or download it here
RITA performs an extensive list of security checks, but one of the most unique is a beacon analysis. RITA breaks out the analysis based on sets of IP addresses. All communications are scrutinized for repeating intervals and even attempts to skew the results. The output is shown in the first figure.
The most important column is the first one, which is labeled “Score”, as this gives a score from 0-1 on the likelihood of communications between the two systems being a beacon. If you look closely at the first line, you’ll see that the score is .999774 between IP addresses 192.168.88.2 and 126.96.36.199. This is almost a perfect 1.0 score, so this is clearly beacon behavior. In fact, you may remember these IP addresses from the first half of this blog, as we identified communications between these two systems as being dnscat2.
From a threat hunter’s perspective, this is an extremely helpful tool. I simply start at the top of the list and work my way down. All of the hard work has been done for me.
Threat Hunting Beacons With AI-Hunter
AI-Hunter is an inexpensive commercial solution for threat hunting your network. It’s based on RITA, and also has an extensive toolkit for identifying compromised systems on your network. Unlike RITA, it has a Web based GUI interface which helps to expedite the threat hunting process. An example is shown in the second figure.
This is the same beacon we have been analyzing throughout this blog. Note that along with the beacon score, we also see a breakdown of the beacon frequency over time (bottom graph) as well as a breakdown of the interval dispersion (top right graph). If we switch to view 2, we can get a similar breakdown based on session data size rather than timing.
AI-Hunter also includes a number of tools that help expedite the threat hunting process. For example, I get to see metadata on the destination IP address. If I click the IP address, I can see if this address is on any known blacklists. Clicking the filter icon will let me whitelist these sessions if I deem them to be safe. If I want to see if any of my other systems have communicated with this external address, I can enter the IP address in the search dialog box in the top left of the screen, just below the title “Results”.
Beacon analysis is a critical threat hunting function. In some situations, it may be the only option available to identify a compromised system. While performing a beacon analysis manually is a huge chore, there are both open source and commercial tools available to expedite the process.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.