This webcast was originally published on January 14, 2020.
In this video, John Strand discusses the concept of beaconing using the tool Rita from the Active Defense Harbinger Distribution (ADHD). He explains how to use Rita to analyze packet captures for beaconing patterns, leveraging its capabilities to parse and analyze network data. The demonstration includes an overview of the HTML output generated by Rita and insights into identifying consistent network connections that characterize beaconing behavior.
- Rita, as a tool from Active Countermeasures, offers comprehensive network analysis for beaconing using existing packet capture data.
- The webinar emphasizes the practical application of Rita without the need for additional setup like parsing Bro logs, as these steps are pre-configured in ADHD.
- The use of philosophical concepts by Plato related to ‘true forms’ is creatively applied to explain the concept of ideal characteristics in network beacon analysis.
Full Video
Transcript
John Strand
Hello and welcome. My name is John Strand. In this video, we’re going to be talking a little bit about beaconing, using Rita. Now, for this particular video, I’m not using the Security Onion.
Instead, I’m going to be using ADHD. If you want to find ADHD, just go to the activecountermeasures.com website, go to our projects. You’ll see Rita and passer and a bunch of tools there.
And one of the tools is the active defense harbinger distribution. And that’s what I’m going to be using today. Now, the reason why we’re using ADHD is a couple of reasons. One, we have step by step instructions on how to use ADHD for this particular video.
And we have a PCAP that’s already been imported, so we can talk about beaconing, so you can actually follow along. Once you’re inside of ADHD, the first thing that you’re going to be doing is jumping into attribution and you go all the way down to Rita.
Now, Rita stands for real intelligence, threat analytics. If you’re looking at what Rita is compared to, like AI hunter or commercial tool, Rita is basically all of the logic, all of the math, all of the horsepower, all for free, active, countermeasures, AI hunter, actual intelligence.
Hunter is actually the GUI, platform notifications, all the stuff you would expect to see in an enterprise environment. Now within Rita, we’re going to follow these basic instructions.
And in fact, I already have ran this. But to actually get Rita to work, you just cd into home ADHD tools, go into the enterprise lab, and then normally what you would do with a bro log setup is you would actually go into bro and you would then, load in that data, let bro parse it.
And then you would use Rita and you would do Reta import and you would give it the path to the bro logs and then a destination database. And then it’ll parse everything. And then you do read, analyze, and then it does its analytics and it’s ready to go.
You don’t have to do that inside of ADHD. That’s already been done for you. also in this particular video, I’ve already got the Mongo database started and I have the HTML report generated.
So I’m going to show you what that looks like. So this is the HTML output. It has a number of different output features. It can do text, you can do JSON, connect directly into Mongo.
I’m looking at the HTML because it lends itself better to, videos like this one. So if we jump into versus agent. this is actually a packet capture for a specific timeframe that has been imported by bro, and then Rita has analyzed it.
We have a number of things that we’re going to look at, and I’ll talk about these in separate videos. The first one I’m going to talk about is beacons. We’re going to talk a little bit about what it means to be a beacon for these things.
So here you can see that we have a source IP address of ten 234, 234 100, and a destination IP address of 138 197 100, 1774.
You can also see that there was 4532 connections. Now, about those connections, what exactly does it mean to be a beacon? Well, whenever you’re looking at it from a mathematics perspective, you can use a number of algorithms, such as k means clustering, to basically do some basic analysis.
As far as what is consistent about these connections, we actually don’t use k means clustering. K means is something that’s available in splunk. It’s a fantastic utility, but it’s all about finding the right algorithm for the right problem.
In this scenario, Rita uses madmom medium average distribution of the mean. What exactly does that mean? So, whenever you’re looking for a beacon, let’s get, some philosophy here for a second.
I’ve got a chair. All right, here we have a chair. How do that that’s a chair? Now, this goes back to kind, of some earlier days of philosophy.
when you’re talking about Plato. I know this sounds weird. Trust me, it’s technical. Stick with me. and Plato basically said that everything that we have in the world is basically an imitation or a shadow of a true form.
So somewhere in the universe was a perfect chair, and every other chair was just a variation on that chair. Well, it turns out in computer science, whenever you’re doing things like k means clustering, using artificial intelligence and machine learning, you’re doing something very similar.
What you’re doing is you’re saying these are the characteristics of a perfect chair, or in this situation, a perfect beacon. So if we were going to say what a perfect beacon, Washington, what were all the things we would say would make it perfect?
Well, interval. Interval is like a, heartbeat. Some heartbeats are slow and some heartbeats are much faster. If there’s a consistency in these different connections, then you have a consistent heartbeat.
That may be one aspect of a beacon. Another thing you could look at would be data size. If all of the packets are the exact same size of what’s being sent and what’s being received.
That could be a sign of that beaconing activity of saying, is there a command?
Voiceover
No. Is there a command? No. Is there a command? No. Is there a command?
John Strand
No. And we could look for those consistencies in those packets. We can even look for inconsistencies to find consistencies. Let me explain. So whenever you’re looking for inconsistencies to find consistencies, you may have jitter or dispersion, in your packet connections.
So what that would mean is let’s imagine that we have a ten second interval with 20% jitter on either side. That means that all of your packets would be between a range of 8 seconds and 12 seconds, 2 seconds on either side of 10 seconds, and you would see, a distribution where that would be 50% from ten to twelve and 50% from eight to ten.
We can actually look for that as well. Rita does all of this and it does it fairly quickly, and it does it for free across every single connection in a packet capture.
So that’s Rita when we’re talking about beacons. So ideally what you would do is you would sort this, you can export it to an excel spreadsheet if you’d like. And you look at the score.
Now there’s a bunch of different systems that have high scores in here, but a couple of things that are interesting. First, you’re going to see a lot of Google and Microsoft data within these connections.
This particular system is a digitalocean IP address. So some basic research could tell us one of these is not like the other. The other thing is the sheer number of connections. A lot of these other ones, you have smaller numbers of connections going to known good IP addresses.
And in our evil backdoor, we have a high number of connections that is running at a very consistent interval. Now, does this mean that every single thing that beacons at a high connection interval is evil?
No, but it does mean that you want to look into it. It means it’s not human behavior. And yes, Rita does have the capability of actually importing a whitelist and then filtering those things out.
once again, that’s why we do AI. Hunter. So that is our little video talking about beaconing. I hope you enjoyed it, and I hope you get a chance to play with Rita in the active defense harbinger distribution.
Now, once again, once you get into the active defense Harbinger distribution, the user id and password is ADHD. And ADHD you will go to attribution, you will drop down, and you’re going to see Rita and once you open up and follow the instructions, you would open up a packet capture and then select beacons and load the beacon data for that packet capture.
Thank you so much and I hope to see you in yet another video. This episode was brought to you by Black Hills information security, specializing in pen testing, red teaming, threat hunting, webcast, open source tools, and blogs.
It was also brought to you by AI Hunter from active countermeasures. The AI stands for actual intelligence. Need a threat hunting solution for the network? Check out AI Hunter. It is also brought to you by Wild West Hack and Fest, currently offering conferences in San Diego and Deadwoods South Dakota.
To check out the schedule and the speaker lineup, check out Wild west hackinfest.com.