Speaking at RSA Conference 2019, Black Hills Information Security owner John Strand discussed threat hunting and how this can be done on a small budget.
He admitted that identifying command and control (C&C) traffic is “very difficult” as we have got to the stage where malware can be stealthy and uses C&C to hide, and encryption is used within encryption, while we rely on the impossible task of writing signatures.
Strand said: “After a pen test we talked to a customer and went through the debrief report and we were excited as the company did everything ‘right’ and it was a hard engagement for my team, but as we went over the report with them we could see the blood draining from their faces as we told them they had a blind spot for C&C.”
Demonstrating that malware using a C&C typically transmits at consistent intervals and exhibits patterns, the best tactic is to try and identify clusters and patterns, and also cluster for data sizes.
Strand explained the use of the free tool RITA, named after Strand’s late mother who asked him to keep the tool free, which he said can do analysis of connections leaving your environment.
“When we started using RITA three years ago we ingested logs and realized the concept of time variables, as some technologies mark the beginning or end of a connection as the connection time,” he said. “One device logs a connection as the beginning and at about noon, it then switched to mark the end of the connection. Also with BRO/ZEKE you’re getting logs and consistency is incredibly important.”
In recommendations on what to do next, Strand advised blocking adverts, and regularly cleaning your network for data being transferred out.
Giving some examples of how RITA had been used, he said in one case it was discovered that security cameras were beaconing out data, and whether it was malicious or not is irrelevant.
He concluded by reiterating that detecting C&C is getting harder “but it doesn’t require you dropping $75,000 in a box or investing $1m in a threat hunting team in your environment,” as it can be done for free using available tools.