By Aman Diwakar
In Special Operations, there are multiple actors on either side of the battlefield, at any point in time, attempting to achieve tactical leverage over the enemy. This leverage comes in multiple forms, at different stages of combat and the entire process is referred to as the “Kill Chain”. The kill chain in special operations includes reconnaissance, weaponization, payload delivery, exploitation, establishment of communication from behind the enemy lines and ultimately completion of the mission and successful exfiltration. As an Intelligence Analyst in the military, I was intimately familiar with this process and how successful actions on target, in rapid, deliberate succession would mean victory for the unit best able to execute and defeat for the opposition forces.
This article will highlight how using security intelligence, you, the Network Operator can gain tactical leverage, interrupt the kill chain and successfully defend your area of responsibility against the threat actor or agressor. Your goal will be to remain eternally vigilant, it is the price we pay for security, whether in the cyber world, or physical.
In order to prepare to defend your network, you need to gather all the information and intelligence you possibly can because those aiming to exploit it will be very well prepared, most of the time, better prepared than you because it is they who will be choosing the time and place. Because compiling and discussing all the possible permutations of data points is outside of the scope of this article, we will speak of the two more important pieces of information that you will need to acquire. The first will be logging and activity data from the infrastructure, the second will be packet data from network taps at strategic chokepoints in the network. You will finally need to be able to take these two pieces of network intelligence and correlate them quickly and effectively being that this information will likely be unstructured and disparate.
The only commonality here will be the fact that when correctly and intelligently manipulated, this data will yield the information that is required to be able to make tactical decisions that will pave way for successful defense.
Once the above preparations are successfully executed, the majority of the time spent should be in identifying and monitoring the network for malicious activity. The determined adversary will first attempt to gain intelligence on the target, your role will be to take that opportunity to gather counterintelligence. This counterintelligence will be critical in identifying the specific threat from the sea of adversaries that your network faces on a daily basis, however, it is an extremely challenging objective as the advanced threat actor will be attempting to thwart counterintelligence activities. Information regarding the potential attacker can often be ascertained from coding in malware that can reference a language or country of origin, the attackers modus operandi (based on historical data) or ways in which commonly used tools are customized. Because the attacker is constantly seeking to avoid detection or mislead you, any one of the above mentioned telltale signs can easily be spoofed, thus it is best to take into account all possible activities holistically when attempting identification.
Security analytics tools that consume network telemetry data and deduce possible suspicious or malicious traffic are instrumental in the identification phase as well as in the containment of such activities on the network. In the rest of this article, we will be utilizing information attained from RSA’s Security Analytics to demonstrate the identification of malicious activity on the network that manifests itself in traffic that hides itself in benign HTTP or IRC traffic. This type of network evasion is generally referred to as covert channels as the attacker attempts to hide C2 (Command and Control) and data exfiltration traffic as well as subvert traditional security controls such as IPS/IDS Signature-based mechanisms and additionally, firewall filters. Security Analytics is designed to track and identify those threats on the network that are not identified in the wild using traditional detection methods because the attacker is exploiting an as-of-yet unidentified vulnerability in the infrastructures components.
There are two methods of searching for suspicious activity, both methods are checking for data leaks , potentially unauthorized file transfers as well as C2 activity. The first method searches for traffic to suspicious countries, files that were sent outside the US by systems that should not be engaging in this behavior, the second method searches file transfer and IRC communication traffic over non-standard port.
In the snapshot illustrated above, SA has identified potential data exfiltration acitivity by correlating different pieces of network data together such as IP-by-country and packet capture that confirms a data channel.
One common method of obfuscating a file transfer is by tunneling ftp traffic over non-standard ports. This method is commonly referred to as a covert-channel, however, it is not limited to just ftp traffic. Covert channel is a method by which packet data is transmitted through ports over which they would generally not travel as is common in many P2P applications. The concern with this type of traffic is that it is a common vector for C2 communications as C2 traffic is commonly sent over IRC.
As we follow a suspected file transfer, we’re able to simply click the suspicious activity and identify the destination country that the file was sent to, in this case, Uzbekistan. Off course, many organizations do business with Uzbekistan and it is totally plausible that this is legitimate traffic in those organizations, however, in this case, we did not and as such, tagged this as a suspicious activity. The screen below identifies the file transfer, including username/password, ports and the file name that was transmitted. This activity will now trigger and investigation and determination as to why this took place and if there is any need for further action.
The illustration below demonstrates an IRC based covert channel activity, the IRC traffic is attempting to hide in a non-standard port, upon inspection of which, it is discovered that the exchange has attempted to download and execute malicious code. This code could be the basis of a botnet C2 establishment or installation of other virus or malware. One might think that a hardened operation system along with good Antivirus protection would mitigate this type of an attack or activity, however, with remote command shell exploitation and zero day threats, these attacks commonly bypass antivirus and anti-malware filters and detection engines. Now the attacker can pivot to an escalation of privilege attack and get this host to either participate in malicious activity or simply is the destination system the hacker was attempting to infiltrate.
The last example below is a capture of another service, Gnutella, as it was being utilized to download a Flash installation from Macromedia/Adobe’s website. This is a perfect example of a P2P site that tunnels traffic over HTTP, but because the HTTP header information is suspicious (low header count), this traffic is flagged by SA for an administrator to further review. Here, Gnutella triggered a “get” HTTP command and we are able to dissect the event and reconstruct it per preceding screenshots and packet samples. The packet capture indicates that the session initiated to get an updated of Flash Player.
The figure above is a live packet capture event reconstruction as it indicates Gnutella traffic over port 80 during a “GET” http command execution from host fpdownload2.macromedia.com of Flash.
To summarize, C2 and malicious traffic evasion tactics are evolving, as malicious actors attempt to stay ahead of the malware research community. Malware is becoming more difficult to analyze as writers prevent execution of the malicious code in a sandbox if the code detects a human is not executing it via mouse or keyboard commands or if the process is not executing on a human interfacing system, i.e a user PC or server. Furthermore, such activity hides behind encrypted, covert channels to take it up another notch. The adversary will become more sophisticated and determined as the motivation for such actions continue to be either financial or political edge, placing you, on the front lines of a full-fledged cyber warfare.