Most network activity is random in its timing. There really is no specific time interval that all attackers use, which again contributes to the difficulty in detecting beacons. If the attack is concerned that their malware may be detected quickly, they may beacon more frequently in order to maximize system use prior to detection. It really depends on how patient the attacker is and how long they feel they can avoid detection. This could be as quick as every 8-10 seconds or as long as a few times a day. These traits revolve around the timing of the communications and the packet size being used.Īs shown in the above example, a beaconing system calls home at regular intervals. While on the surface beaconing can appear similar to normal network traffic, there are some unique traits we can look for as part of a network threat hunt. Within the security industry, this behavior of calling home at regular intervals is referred to as “ beaconing”. These marching orders can be anything from stealing information off of the local system (data exfiltration) to attacking some identified host out on the Internet (DDoS attack). The next time the compromised system checks in, they have relayed the commands and execute on whatever marching orders have been given to them. When the attacker wishes to activate the compromised system, they simply cue up a command on the C&C server. The process will then sleep for some period of time before repeating the check in process. The intent of the connection is to inform the C&C server that a new compromised system has been activated and that the system is ready and waiting for marching orders. From a cursory view, the traffic will look like normal network activity. Typically this connection will try and mimic normal traffic patterns by using HTTP, HTTPS or DNS. When a system becomes infected, it generates an outbound connection across the internet to the attacker’s C&C server. The basic setup is shown in the first figure. The solution is to use an intermediary server called a “Command and Control” (C&C) server. The bad news is, attackers have found a way around this problem. So if an attacker can fool one of your employees into infecting their own system, the attacker can’t count on having direct access to the system because a firewall will most likely block their access. Today, most systems sit behind a firewall, limiting the ability to access them from the Internet. In the past, malware authors used to connect directly to the systems that they compromised. However, the one thing all malware strains have in common is that they need to be able to communicate with their author in order to execute their marching orders. Unless you know for sure the system is compromised, it is easy to miss any minor telltale clues. This is what makes host-based threat hunting so problematic. ![]() Malware infected desktops, servers, and hardware can leverage a wide range of techniques to go undetected on the system. Understanding Phone Home or Call Home Malware In this two-part series, I’ll describe what is involved with performing a beacon analysis, why it is so important in catching the bad guys, and show you some open source and commercial tools you can use to simplify the process. In fact, I would argue that if you are not checking your network for beacon activity, you have a huge gap in your defenses that attackers will happily leverage. ![]() ![]() Beacon analysis is by far the most effective method of threat hunting your network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |