10 Class 33: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/07/03]

In this Class 33: Learning Journal, I am going to talk about the main ideas/concepts covered in the threat hunting with zeek, RITA lecture.

After that, I am going to make a refletion based on the question referred at the end of this page.

Today I Learned

Hunting C2 Traffic

Communication Channels

Overt communication channels are approved means of communications on a corporate network.

  • Done or shown openly or plainly apparent

Covert communication channels are unapproved means of communication on a corporate network.

  • Using an encrypted chat program to circumvent security controls
  • Using a text file on the file server to chat without being monitored
  • C2 beacons

Beacons

imagem

Beaconing is when the malware communicates with the C2 server asking for instructions or to exfiltrate collected data on some predetermined asynchronous interval.

  • Key characteristics of a beacon: Timing; Packet size
  • Beware false positives
  • Proper beacon analysis is a difficult, tedius process
  • A beacon with many connections is a strobe

Long Connections

Long connections may only open and close infrequenctly compared to a frequent beacons.

  • Top: One long connection
  • Bottom: Siz shorter connections

XXXXXXXXXXXXXXXXXX

DNS

DNS based C2 is different than normal C2 direct communications as this instead utilizes the DNS infrastructure

Zeek

Zeek is an Open source network security monitoring tool.

  • Commonly associated with threat hunting
  • Developed in the 90s originally as Bro

Zeek can:

  • Perform live capture/sniffing like an IDS
  • Convert PCAPs to Zeek logs for analysis by RITA

We perform threat hunting by analyzing at a deeper level our environment using tools like Zeek, RITA, and Wireshark.

RITA

RITA stands for Real Intelligence Threat Analytics. RITA is an open source framework for network traffic analysis.

  • The framework ingests Bro/Zeek Logs in TSV format, and currently supports the following major features:

  • Beaconing Detection: Search for signs of beaconing behavior in and out of your network

  • DNS Tunneling: detection Search for signs of DNS based covert channels

  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts