Detecting Malware Beacons with Zeek and RITA

Black Hills Information Security

14 Jan 202007:51

Summary

TLDRIn this video, John Strand introduces the concept of beaconing in network traffic analysis using the Active Defense Harbinger Distribution (ADHD) and its Real Intelligence Threat Analytics (Rita) tool. The video demonstrates how to identify beaconing activity by analyzing packet captures for consistent patterns in connection intervals and data sizes. Rita uses advanced algorithms like MAD (Medium Average Distribution of the Mean) to efficiently detect beaconing without the need for manual analysis. The video highlights the importance of understanding network traffic patterns to detect potential threats, particularly in cases of botnet activity, and encourages viewers to explore ADHD and Rita for network defense.

Takeaways

😀 Rita is a free, open-source tool for detecting beaconing behavior in network traffic, integrated into ADHD (Active Defense Harbinger Distribution).
😀 Beaconing refers to consistent, periodic communication patterns that may indicate malicious activity, such as command and control traffic.
😀 ADHD simplifies the process of importing and analyzing packet captures (P-CAP) with pre-configured tools, saving time for security analysts.
😀 Rita uses Medium Average Distribution of the Mean (MADM) to detect beaconing, offering a different approach than K-means clustering (used in tools like Splunk).
😀 A key characteristic of beaconing is a consistent interval between packets, similar to the regularity of a heartbeat.
😀 Uniform packet sizes in a connection can indicate beaconing, as malicious activities often send repetitive packets.
😀 Rita can detect jitter (slight variations in timing) and use it to spot consistency in packet intervals, further indicating beaconing.
😀 High connection counts to suspicious IP addresses or at regular intervals could signal a beaconing activity, especially in a backdoor situation.
😀 Not all beaconing is malicious, but consistent patterns—like a high number of connections—should raise suspicion and warrant further investigation.
😀 ADHD allows users to filter out benign traffic by importing a whitelist, making beacon detection more accurate by ignoring known good sources.

Q & A

What is the main purpose of this video?
-The main purpose of the video is to explain beaconing using Rita in the Active Defense Harbinger Distribution (ADHD), specifically focusing on how to analyze packet captures for beaconing activity.
Why is ADHD being used instead of Security Onion for this tutorial?
-ADHD is being used because it has step-by-step instructions for this specific task and already includes an imported packet capture, making it easier for viewers to follow along.
What is Rita, and how does it differ from AI Hunter?
-Rita stands for Real Intelligence Threat Analytics and is a free tool that analyzes packet data. Unlike AI Hunter, which is a commercial GUI platform for enterprise environments, Rita focuses on raw data analysis with no additional interface or notifications.
How does Rita process packet capture data?
-Rita processes the packet capture by first parsing it using Bro (a network analysis tool), then performing its analysis using an internal database and generating an HTML report with various output formats.
What algorithm does Rita use to analyze beaconing behavior, and why?
-Rita uses the MAD MOM (Medium Average Distribution of the Mean) algorithm to identify beaconing behavior. This algorithm is used because it effectively detects consistent intervals and data sizes, which are typical characteristics of beaconing.
What is meant by 'beaconing' in the context of this video?
-Beaconing refers to the repetitive and consistent network connections that a device or malicious actor might make at fixed intervals, often used to signal a persistent connection or covert communication.
What are some indicators of beaconing behavior in a packet capture?
-Indicators of beaconing include consistent intervals between packets, identical data sizes in sent and received packets, and a regular pattern in network connections. These behaviors suggest automated or non-human communication.
Why is it important to analyze beaconing activity in packet captures?
-Analyzing beaconing activity helps detect unusual or suspicious network behavior, which could indicate malicious activity like backdoors, command-and-control communications, or unauthorized persistence on a network.
What role does jitter play in identifying beaconing patterns?
-Jitter refers to variations in the timing of packets. In beaconing analysis, jitter can help identify patterns where the packet intervals are consistent within a certain range (e.g., 10 seconds ± 2 seconds), providing further clues about beaconing activity.
What action should be taken if high beaconing activity is detected in a network?
-If high beaconing activity is detected, further investigation is required to determine whether it is benign or malicious. Investigating the source IPs and comparing them to known services can help distinguish between normal and suspicious activity.