Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

Network Threat Hunting & AI Hunter Demo

Tales from the Network Threat Hunting Trenches & AI Hunter Demo

This webcast was originally published on February 28, 2018.

In this video, the speakers discuss various free tools and techniques for hunt teaming within organizations, focusing primarily on network-based approaches. They delve into the challenges of detecting command and control channels, especially when data is encrypted or obfuscated, and explore the use of artificial intelligence to enhance detection capabilities. The video emphasizes the importance of consistency in network traffic analysis to identify malicious activities, highlighting the use of interval, data size, and dispersion consistencies as key indicators.

  • AI Hunter is a visualization platform for network-based threat hunting, making it easier for junior analysts to identify and investigate potential threats.
  • The system utilizes network traffic and behavioral analysis instead of relying on signature-based detection, enabling it to detect encrypted or obfuscated malicious activities.
  • AI Hunter integrates with Bro and Rita, where Bro captures network traffic and Rita performs the data analysis, feeding into AI Hunter for visualization and further investigation.

Highlights

Full Video

Transcript

John Strand

All right, so adventures in hunting and Paul will be joining us, we think, a little bit later, and we have Chris on as well. So we want to go through and talk about some free, tools and techniques and some things to look for whenever you’re doing hunt teaming in your organization.

Now, this particular webcast is going to be very heavily focused on network based hunt teaming. And I’ll explain why here in a little bit. We’ll have another webcast a little bit later talking about endpoint hunting, where we can talk about Kansas.

We can talk about the cool tools that are coming out of japanese cert and doing stacked analysis on, user logins and logoffs to look for malicious accounts being used on multiple different accounts, multiple systems.

So that’s going to come a little bit later, but right now we want to focus on the network side of the house. Now, those of you that are new to these webcasts, you’ll notice we have a different logo.

we always have logos for like, security weekly, blackkillsinfosec.com, and it used to be offensive countermeasures, and we decided to rename everything. And it’s now active countermeasures.

so be sure to check that if you want to check out that domain. We got some stuff there, but I’ll talk more about that later because right now I want to focus on open source techniques and tools for doing threat hunting on the inside of an environment.

So, problem statement detecting, command and control is getting very, very, very hard in many organizations. When you’re looking at the backdoors that we use at Black Hills information security, we have things like sneaky creepers we have versus agent.

We use DNS cat all the time. And we’re using these backdoors to easily bypass the network intrusion detection, intrusion prevention utilities that are available. And a lot of these command and control servers will do things like HTTP, beaconing, that’s versus agent, or social media, that would be GCAD, another tool that we wrote.

And then DNS for DNS cat, we also get some interesting protocols that are multi honed where the actual command and control server isn’t just one IP address out on the open Internet, it can actually be load balanced across multiple IP addresses.

And these protocols are quic for UDP and SCTP, which uses TCP for multi honing and failover. Now, these protocols were created by big industry titans like YouTube, like Google, like Facebook, like Netflix, to handle higher data transfer between systems to their servers instead of just having a single IP address with a single port connecting to a single port on your computer system.

They can now set it up where multiple servers are feeding data in unison into your computer system. Now that sounds great for those types of high bandwidth applications, but it gets really interesting when you’re trying to do stream reassembly on an intrusion detection system or intrusion prevention system looking for an attack signature.

Pen testing firms, as we said, use these tricks all the time. In fact, a lot of the tools I just discussed were written by Black Hills information security, and we released them to the public as proof of concepts. But we’re also seeing bad guys using these techniques on a very regular basis as well.

So we get into a fundamental problem. If an organization is trying to detect these types of backdoors on networks, how can they actually detect these backdoors if the data is encrypted, obfuscated or hidden?

Now we can use artificial intelligence. Now, I’m going to recover some of the things we’ve discussed in previous webcasts with Rita, and, basically walk through that again, and please don’t stop watching.

I know a lot of people, as soon as you mention artificial intelligence, they tend to freak out. But we’re going to show you what Rita is doing and how it uses artificial intelligence to detect bad guys or interesting command pairs in your network traffic.

So I want you to think of looking for consistencies within a network. We have interval consistencies, data size consistencies and dispersion consistencies, just as a couple of examples.

Now, whenever we’re trying to find these consistencies, which is weird because they’re actually inconsistent, the reason why I say that is a normal human being, whenever they’re actually clicking on links and they’re surfing the Internet, will click a link, wait a few minutes or seconds, then click another link.

It’s very inconsistent in their timing, the data size to websites and what they click, if they’re going to Yahoo will be different as well. And then when you’re looking at dispersion, you’re looking at a bell curve, and that bell curve will be skewed somewhat.

So we’re trying to identify these consistencies. We’re looking for automated command and control, or we’re just looking for any type of automated data that is in a network. So when we’re looking for things like interval, we’re looking for a very regular heartbeat interval.

So let’s imagine that all of these little dots here recommend or represent different connection intervals in an environment. And what we’re looking for is a very consistent heartbeat. We’re looking for a backdoor that’s once every half a second or 2 seconds or 10 seconds.

It doesn’t really matter what the timing is. It’s just that there’s a consistency to the timing, and the closer it gets clustered to the one, the more perfect it is, insofar as being a regular interval heartbeat.

We, can look for these clustered patterns, and the algorithm that can be used for this is something called k, means clustering. And you can look this up on the Wikipedia and you can get an idea of what the algorithm looks like. But you’re looking for these consistencies.

You’re looking for clusters to show up. So we have a lot of clusters that are close to a one or a perfect interval. We also have a cluster associated with data size. Now, what’s data size do?

If we have a consistent data size? And you’ll see this a little bit later in this video, a consistent data size means we could have a random interval or even dispersion. But if every time the backdoor connects outbound, it’s making the exact same connection, checking for commands, then the data size would be consistent.

So we were talking about being on an airplane, right? And sometimes you see kids behave poorly on airplanes. Sometimes you just see children behaving poorly in public, public. And one of the things you’ll see kids do is they’ll go, mom, mom, mom, trying to get their mother’s attention.

Mom is a very consistent data size. They’re asking it again and again. Now, after a while, kids get crafty and they start randomizing the interval. They’ll be like, mom, mom, mom, mom, mom.

Now, that interval has been randomized, that’s jitter. If we’re talking command and control, but the data size remains the same, we’re still looking at that mom showing up again and again and again.

So we can look at the server being communicated with the implant on the inside of your network, and it’s constantly checking to see if there’s any commands. And in doing so, there’ll be a consistent data size.

We can also check for dispersion. Now, when you’re looking at interval, if there’s jitter involved, like many backdoors today, like traverse e two or Powershell empire, they’ll introduce jitter.

I’ll say you’ll communicate every five or 10 seconds, and by communicating every five to 10 seconds, we’ll introduce a 1 second interval on either side. So that means that the communication can happen at 5 seconds, 4 seconds, 6 seconds, or anywhere in between.

However, whenever bad guys use this type of dispersion, algorithm. When they create their backdoor, a lot of times they’ll use the built in randomness libraries for whatever coding language they’re using.

So even though it does have jitter, it’ll have a very, very even dispersion as far as a bell curve as well. So I want to pause for a couple seconds. Do we have any questions, that have popped up so far?

Sierra Ward

Someone just said, couldn’t it be pseudo random?

John Strand

But I think they just. It absolutely could be. And that pseudo random. Anytime a human being creates randomness through an application, it’s hard to make it random. Yeah, it is. It is really hard. Now, there’s some tricks. I won’t get into that.

That’s for a pen test, webcast. But there are ways to get around that.

Sierra Ward

And I did put. Sorry, I did put the k means clustering link to the Wikipedia in the chat.

John Strand

Fantastic. So we’ve got that. So you guys can look all of that up. Now let’s talk a little bit about the setup. All right. Now we’re going to talk about setting up, bro.

And Rita. And Rita stands for real intelligence, threat analytics. And Rita does this. It does a number of other things, but the main thing of what it does is this. It looks for those consistencies and that clustering of consistent data pairs.

Now, you’re going to have the inside of your environment, which is on the right hand side of your screen, and you’re going to have all these systems communicating out to the Internet. Although I didn’t put the Internet, I just assumed that there was a bad guy system there.

But you have your firewall and the egress traffic. Now, all of this needs to be set up pre network address translation. And the reason why is we need to see the source IP address. We need to see the internal communic, the internal computer system that is communicating outbound.

As you can see, we have one system with a little ick face that’s communicating out to the bad guy’s computer. Now it’s going to go through bro, and I’m going to talk about why we use bro here in just a few moments.

And it’s going to be analyzed by Rita. Now, a quick note. When you’re doing this type of clustering, it’s not something that’s signature based. You’re not just watching the traffic, leaving your environment and looking for a specific signature.

You’re looking at all of the different network connections that happen over a period of time, let’s say a day. And you’re looking for consistencies within those communication pairs. This requires doing analytics and stacking, and, basically doing review on all, all the connections.

That is a very tall order. So when Rita runs, it usually takes a full day, batches it, and then it takes six, seven, 8 hours to process that data and then get you the report out, because there’s a lot of analytics that has to be done.

So we need that prenat. We’ve got bro, that feeds the data into Rita. Rita does the heavy lifting, and then you’re able to pull down the report. Now why, bro? Well, this is kind of giving a little bit of history.

When we first started up with, Rita, years and years and years ago, we were trying to use, Elc stack, we were trying to use elastisearch, kibana and logstash.

In doing that, we ran into a complete nightmare. When you’re trying to ingest logs from multiple different data sources, let’s say four or five different firewall vendors, the way that they handle time is inconsistent.

They will log the timestamp at the beginning of the connection, or the end of the connection, or the middle of the connection, or whenever the SIEM agent receives the data and loads it into the sim. That’s whenever it actually logs the database, the actual connection between an internal system and the outside.

And it’s very hard to try to correlate and fuse that across multiple different systems. And we had a lot of developers that were literally running regular expression filters to parse and filter the data, shove it into a database.

And our hope initially was we would get the top five vendors out of the way and then we wouldn’t have to redo that work. It didn’t work out that way. There were top five vendors, but even within different versions of those products, they would handle their logging and their timestamps, inconsistently.

So that consistency that bro gives us for timestamps, data size and everything is incredibly important when we’re talking about doing analytics with something like Rita. And also, we’re moving away from signature based detection.

A lot of people call bro and ids, and I feel like that’s not really doing bro justice. That’s trying to put it in the same category as snort when it’s really not. What it really is, is a protocol part.

It’s taking network connections, giving you statistics about these network connections, data size, how much data was transferred, what was the connection time, how long was the connection time, were there any files transferred, were there x 509 certificates?

What was the HTTP data, and so on. So it allows you to query your network traffic to get answers. Now, traditionally, you have to use bro, and then you have to use a series of scripts to actually analyze the logs by hand.

And that can be somewhat problematic and difficult. So what we did with Rita is do a lot of that, analysis for you. Also, there’s so many ways to obfuscate the actual payload.

So instead of actually trying to find a specific signature in payload, we’re looking at the behavior of the traffic. Now, Rita is, as I said, the heart, and Rita is free, and it’ll always be free.

There’s a number of reasons for that. I talked about it at Derbycon, but Rita is doing the heavy mathematical analytics. And everything I’m going to talk about from here on out to the end of this webcast is all data that was filtered by Rita.

We have another front end that we can show it, but everything that I’m going to talk about is available here as well. So I want to take a couple of seconds and show you Rita. So this is the sans 504 vm.

I’m actually cheating and using a lab, from sans 504 directly, just because I know it works, and it works every single time. So what we can do is we can load the data and show databases.

so this reta instance that I have has two databases. It has DNS cat and it has versus agent. I’ll talk about why those two backdoors are interesting here in just a few moments. Now, if we want to view the data, we can actually show the data and view the database beacons for the database versus agent, and it kicks it out in a comma delimited file.

this is nice. And this is somewhat not nice. It’s nice because you can export it and then you can import it into access. You can import it into Excel or any database where you can do analytics as well.

That’s a neat way of actually showing the data. However, what I’m going to show you guys today is I’m going to show you the HTML output. It’s the exact same data, but it’s actually in a browser.

So it’s a little bit easier for people to get familiar with what Rita is offering and how you can interact with it. So the same two data sets that we had from the command line are here.

If I select versus agent, I can select beacons. Now, as I mentioned, versus agent is a beaconing backdoor that, uses clear text HTTP. It’s actually base 64 encoded in a viewstate parameter.

And here you can see our internal system, our ten, 234, 234 100 system was communicating out to a digital ocean system, 138-197-1174 and it made 8636 connections and it almost had a perfect score.

Now, there’s other connections here. These are Microsoft and Google. And Rita does support whitelisting. You can use that in the configuration file. But one of the things that would jump out at you when you’re looking at a backdoor that’s beaconing out of your environment is the total number of connections.

A lot of the beacons that happen from Microsoft or Google, there’s a very short number of connections that leave the environment, checking for updates and things like that. Whereas you have many backdoors. The bad guy wants immediate gratification.

So it’s usually going to be in intervals less than 1 minute. We’re talking usually 1015, 20 seconds. In most scenarios, this one actually does ten, second intervals.

So that is versus agent in Rita. And we also have DNS cat and DNS cat. If I jump right to the DNS data, it goes to the exploded view of DNS.

And you can see that we had 30,000 subdomains of, nanobot ninjas. Now, what does that mean? Whenever you go to www.google.com, google.com is the domain and www is the subdomain.

Now, you wouldn’t expect a lot of subdomains for like nanobot ninjas or Google. You would expect a lot for.com dot. You would expect tons for.com dot. But for nanobot ninjas, that full domain to have 30,191 subdomains, that’s pretty much a dead giveaway that there’s a DNS backdoor.

The reason why is because every single time that DNS backdoor communicates, outbound, it communicates, and it has to generate a new subdomain to create a full new recursive DNS lookup.

Basically resolve that IP address, and then the command and control is there inside the text record. So I just wanted to show you, Rita, and kind of what it does before I move on with the slides because just wanted to let that that’s the main tool that I used for analytics for the hunts that I’m going to discuss.

So just pause for a second. Do we have any more, questions or are we good to keep going.

Sierra Ward

Sierra, somebody just asked, how would you convince management to let you use bro?

John Strand

How, would you convince management?

Sierra Ward

A lot of people had some good stuff, so I’ve just been sending that.

John Strand

Back to them, but, oh, very, very cool. So trying to convince management to use bro, it basically allows you to identify the things you don’t know. And a lot of how. We started with AI hunter and active countermeasures, it started with a premise that most of the security tools that exist today are really not detecting many of these backdoors that exist.

So we wanted to go hunting and find them. And a lot of that was manuals, a ton of python scripts. And we wrote Rita and we wrote it in go because it greatly sped up that process of doing the analytics. It was still a very heavy lifting to do.

So the best way that you can answer that question is it allows you to go hunting for the things you do not know, things that your security appliances are missing. And trust me, they are missing the other thing that you can do.

And this is kind of fun. If you can get approval, this might be harder to get approval than getting approval for bro. I talked about G cat. I talked about versus agent. I talked about DNS cat.

Set them up on a sample system on the inside of your network and run them. If your product doesn’t detect that, well, that’s all the more reason to get something like Rita and bro in your environment. The final thing is cost.

Both of these are free. So this is just a couple of different reasons. All right, so let’s move on. So I mentioned versus agent as a backdoor. And versus agent does all of its cleartext communication and cleartext HTTP, but it hides it in a viewstate parameter.

Now, Viewstate is used by asp.net applications to actually track session information. It’s variable in length, and it’s also variable in data size, which makes it a perfect field for us to hide our command and control.

So this is actually command and control once every 10 seconds. And this eyjjb two is actually the mom mom mom thing that I was talking about. You can see that it’s consistent.

Now, this is designed to be kind of a training wheels beaconing backdoor for many products to detect. Unfortunately, a lot of products don’t detect it by default.

Also, DNS CAD I mentioned, I wanted to show you what that looks like. You can see over here we have these, 242246, a, one, b. These are the subdomains.

And this is kind of highlighting. Usually with bro, you’d have to go through and look through the logs. It would be very hard to find these types of consistencies in the logs to actually pull out and say that there was actual DNS data that was happening here as well.

All right, so let’s talk about some housekeeping you’re getting ready to do hunting. Me. Got approval from management to get bro and Rita. In your environment, what’s the first thing you should do? Block ads. Please just block ads.

A ton of the hunt teams that I’ve done, I think Ethan’s on as well. But a lot of the hunt teams that I’ve worked on, we spend a tremendous amount of time filtering through ads, and there’s so, so many ads out there.

And when you’re looking at ads for Google Ads, marketing 360, Taboolo, OpenX, and there’s hundreds others, they don’t have very simple domains that you can just simply whitelist. They’re usually these randomly generated domains that are long, and it looks very malwareish.

so block the ads, because it gives you a very. It gives you a much cleaner signal to noise ratio on the output, so you need to block them. And there’s a number of ways that you can use this. you can block them in your web proxy, ongoing outbound, on your force point proxy, or blue code or whatever it is you’re using.

You can actually go into that category and block ads. The other thing you could do is you could block it at the hosts. That works sometimes. and then there’s also products like Project Umbrella from Cisco, which is open DNS, moved over underneath Cisco, where you can block them there.

And there’s a number of advantages to doing this. You’ll have less bandwidth leaving your environment. Hunt teaming is a lot easier. Ads oftentimes are the deliverer of malware, and like I said, it pollutes data, and it just makes for an absolute nightmare.

Now, it’s interesting, the whole thing is adventures in hunt teaming. We had one hunt teaming that we were working before we actually got to the hunt team. We asked the customer to block ads in their environment, and, the security team was like, that’s great.

Let’s block ads. So they blocked ads. Yay. Life is good. However, the marketing team, and that’s why Sierra’s laughing right now, the marketing team said, wait a minute, but our employees can’t see our ads.

We need them to see our ads. And they were, like, using Google Ads or something.

Sierra Ward

That’s why you shouldn’t use ads.

John Strand

That’s why you shouldn’t use ads. That’s why we don’t use ads. I think we tried that, and Sierra came to me. He was like, that’s a waste of money. Don’t do that. But this company, their ads were being blocked. So management made the command decision.

We’re going to allow ads from everywhere to show corporate spirit so we can view our ads. It was a total train wreck. but clear how that’s. Your life will be so, so much better whenever you actually do that.

All right, next one I want to show you is round robin malware beaconing. so I mentioned earlier that we have malware that can connect to multiple different ip addresses. Quic, SATP, and one giveaway is the data size.

if you remember, whenever I went back to Rita, I could show you the data size. and also the dispersion. And Rita checks on data size, and it also checks on dispersion. Now, this was interesting, because we had one internal host on one of our hunt teams that was communicating to three.

Well, it was more than three. I just took three for the screenshots. But, it was communicating to, I think it was like, ten different IP addresses in China and all kinds of weird places.

And these are real companies. These are real locations. Of course, it’s a real city in China. And what happened was we had one IP address that was actually connecting to ten different IP addresses out online, but the data size was consistent to every single one of them.

The dispersion was consistent to every single one of them. And the customer went and did some research. It turned out it was a security system. I’m not going to go into too much detail, but it was a security system that, for whatever reason, was beaconing back to China to a round robin of different IP addresses.

So we had to sync that. We had to find the data size. The data size was consistent every single time. Now, that’s weird. You don’t see consistent data sizes to multiple IP addresses online.

So if you ever see an internal system making lots of connections of multiple external systems, and they all have the same attributes, that would be probably one of the things that you need to jump on immediately to try to figure out what’s going on.

The other one, this was. Okay, this. To be honest, like I said, ethan’s on this, too. Ethan worked this hunt with me. this one actually freaked me out. I’m trying to make it like the customer was one that freaked out.

I was freaking out, too. So we found very strong beacon that was leaving an environment. I can’t remember, it was, like, five minute intervals, and they had a large network, thousands of systems, that were connecting out to a DoD IP address on the Internet all the time.

Just beacon data size was the same, dispersion was the same, interval was the same, lots and lots of IP addresses. Time to panic. I panicked a little bit. I absolutely did panic a little bit for a couple of reasons.

One, when I’m doing recon, I like to interact with the system. That’s the command and control server. Like, check Shodan, maybe punk spider. Maybe spin up a digital ocean instance and port scan that system. I’ll try a number of things.

I won’t do that with a Dod Ip address. I’m just like, that’s a big black box. I’m not going to touch that at all. I don’t want to have people in dark suits and sunglasses and little ear things show, up on my front door.

So there was a lot of panicking. And was the NSA hacking them? Looking at what this customer did, we didn’t think the NSA was hacking them, but you never know, right?

And was, it a vault or shadow broker exploit? This is one of the theories. Hold on a second, love. Cough buttons.

Paul Asadoorian

yeah, hey, this is Paul.

John Strand

Hey.

Paul Asadoorian

I, hacked my way into the webcast. How’s it going?

John Strand

Doing very well. Thank you for joining us, sir. We got a quorum. We got Chris and Paul on. So you got kids in the background. I was warning people there might be screaming children in the background at your house.

Paul Asadoorian

I think I’ve, successfully kicked them all out of the house. I think they’re at the neighbors. And my wife actually, went to the dump.

John Strand

So I had a vision of, like, your small children outside on your back deck, like, cold. Maybe daddy will let us back in again.

Paul Asadoorian

Yeah, it’s actually warm out, which is weird. Anyway, I’m glad I could be here. I had to find a windows or a Mac computer in my house, which there was one Mac, so here we are.

John Strand

Used by your son, to play video games, probably. So we’re still talking about open source hunt teaming stuff. We’ll start talking about the new stuff here in just a little bit. But, no, it’s super cool. We got Paul and Chris on.

Paul Asadoorian

Yeah, I have some, I have some notes on that, so. So I’m ready whenever you are.

John Strand

Awesome. M so, yeah, so there was a lot of, questions between us and the customer. Was it possible that there was a vault or shadow broker exploit that had a hard coded IP address in it?

Now, if you remember, this was released, publicly through WikiLeaks. So that was possibility. But still, it makes no sense. if you talk to anybody that does cyber offensive operations for Department of Defense or the intelligence community, they tend not to do attacks.

Random companies infect every one of their computers and have them beacon back to a DoD IP address, that’s just bad operational security for them. And so we started hunting down, we looked at the IP address, bunch of people were looking at the IP address, DoD IP address, no question it’s a DoD IP address.

And then the customer calls me and customer’s laughing. Quote from one of their developers, wait, that IP address is odd. It’s the current version of our product X. So what it was is they messed up in the update feature.

We think it was the update feature where the product was supposed to go to a server, give its version, and the server would give it an update if there was an update there. However, they messed up and instead of it sending its or going to an IP address and giving its product version, it actually tried to connect to its product version, which just so happened to be an IP address in the Department of Defense IP address space out online.

So not really malware per se. And there was a lot of people that were very happy that it wasn’t the DoD hacking them. But it also makes the whole entire like Pucker factor go up because you literally have thousands of systems talking to DoD on a regular basis.

It’s amazing that they didn’t get a call at some point. So I’ll pause again. Do we have any more questions?

Sierra Ward

Tim has a question. Yeah, he says in one of the earlier slides you showed an example implementation of bro and Rita on what would have presumably been an enterprise network. What would be your recommendation for implementing Rita and Bro in an AWS environment where you do not have centralized point of egress, such as a firewall?

In AWS you can use a. Net gateway which gives you no access.

John Strand

AWS, you can configure your network architecture with AWS so that whenever systems are leaving it can actually go through a central IP address. You can actually do routing and switching and firewalls. You have that full networking capability, so all you would need to do is hang it off of a quote unquote virtual span port in AWS to capture that traffic.

The other thing you could do is run bro inline. I don’t really recommend that because bro, whenever it starts getting too flustered, it’ll start dropping packets. So you want to make sure it’s side chained. So you absolutely can do sniffing in AWS.

So what you would do is Google sniffing in AWS. Then whatever server is getting that data that you’re sniffing from AWS egress, that’s the server that you’re going to install. Rita and bro on.

Sierra Ward

Okay.

John Strand

And that was my voice. All right, very cool.

Chris Brenton

Actually, I got one, too.

John Strand

Oh, this has got one too.

Chris Brenton

Not so much question is an answer, because this was something that came up the other day that I had to clarify for somebody. So when you’re talking about data size, consistency is odd.

what you’re talking about is the payload size, not the packet size. Packet size consistency actually happens a lot, especially when you look at syn packets. You’re going to get the same size sin out of a system all the time.

So when you’re talking about that, it’s not packet size. It’s actually the payload data that’s embedded inside of it. That’s what you’re digging at.

John Strand

And that payload data absolutely could be spanned over like 510, 5100 packets. Absolutely. But it’s for that, full connection.

Chris Brenton

Which makes the analysis that much more challenging.

John Strand

Yeah, because now you’re not looking at a packet anymore, so. All right, very cool. All right, so let’s talk about the lesson. Sometimes beaconing data is not evil.

Sometimes it’s just a mistake. And, this is one of the things that was very odd to us once we started doing hunt teams. We did find malware, we did find evil in networks, but we also found a lot of weird things where the product was just syslogging data for no good reason.

Customer experience data, we don’t know what that was. It was encrypted, but you would have individual applications on desktops that would basically be syncing everything out to a centralized vendor, direct software updates.

Trying to get to the Internet, would be like scan data, trying to find a port that’s open and crawling to try and get out. There’s a lot of filtering and research when you first do this, but it does get easier over time.

And I tried to come up with some analogies to think through how you approach this. Right now. Hunt teaming is tactical. There are vendors out there that talk about automating Hunt team on the endpoints.

The vast majority of them that we encounter in pen tests really are not effective because you’re trying to watch absolutely every single endpoint. It becomes white noise. You’re trying to watch everything so you effectively see nothing at that point.

And then there’s a lot of ids, ips, firewalls that are trying to do this, but it’s also not that great because it’s very static. So when we’re looking at hunt teaming, we’re looking at it from a tactical perspective with vulnerability assessments.

We’ve been doing this for well over a decade and it still has some manual verification. It still has people going through checking to make sure this patch is missing or this misconfiguration is in place. It’s still a tactical activity for many, many organizations.

We’re trying and we’re getting better at trying to automate this. Still at the end of the day we’re still going through and validating it. So right now if we’re looking at hunt teaming, hunt teaming is not at the point where it’s completely automated and that shouldn’t surprise anybody right now for artificial intelligence, for endpoint security, it’s still not automated as much as they try to tell you it is.

It doesn’t work as well as some vendors would have you believe. Trying to watch this on the network is not automated even though the vendors will try to tell you that. So we’re trying to bring this down towards tactical.

So you go through, you find these oddities and then you remove these oddities and things get clear. So I mentioned before the show started about Chris. The first time I saw Chris was back in 2003 in Denver, Colorado.

Chris had this approach to log analysis and Paul and I have talked about this over the years and it’s hard to sell this idea to people for log analysis today for like your standard Windows event logs or Linux event logs or application event logs.

And his approach was you’d go through all of your event logs, find the most number of events ids and then know what that is and then create a filter that pushes that over to a file and then go to the next highest number of event ids, know what that is, push that over to a file and you go through the process of refining what it is you’re looking at in your event logs knowing what the event logs are.

And at the end of the day you get things where they’re very, very clean. And the only thing that shows up are the oddities and that’s where you find a lot of the interesting bad guy stuff. So it’s kind of like that, you go through your vulnerabilities, you clean out your vulnerabilities, you go through the first time and you’re like well this person has an application that’s communicating outbound to cool and poor.

We don’t need that application, let’s get rid of it. This particular application is talking to DoD, let’s stop that. And you clean up your network, let’s clean up the ads. And you’re constantly cleaning and you’re constantly doing housekeeping and it gets faster and faster every single time that you do it.

So on the topic of blacklisting, let’s move on now with blacklist, it’s amazing to me how effective blacklists are still and how ineffective they are.

And I’ll, talk about, talk about what I mean by ineffective blacklists and effective blacklist. It’s a great filtering point to start researching, but I’m going to show you in a little bit. It doesn’t always tell the entire story.

So there are multiple different sources of blacklist information online. You have Google’s blacklist, you have malware domain list, you have tons of these different services that are offering up blacklists of evil domains and evil IP addresses.

Now most of the time these vendors start feeding off of each other and they sync very, very quickly. So having a hit on a blacklist does not necessarily mean the connection is immediately evil.

There are many situations where you’ll have an IP address and there’s virtual hosting in play. Well, there’ll be 20, 30, 50 web services running off of this IP address, and only one of them may be evil and also old entries.

If an IP address ends up on a blacklist and it’s cleaned up, but many times that old entry will persist for an extended period of time. So simply because a connection is made to an IP address on a blacklist does not necessarily mean that that system is compromised.

So what are some things you should look for? Well, numerous hits. So if you have an IP blacklist hit and it’s just one of the different blacklist, let’s say 47 different blacklists online, and only one of them, like Mywot, says that it’s, a malicious IP address, I tend not to get that excited.

You’re still going to dig in, you’re still going to look and try to figure out what my woot or malware domain lists say about that IP address, but you’re probably not going to get all that excited right off the bat.

So if you’re looking and there’s multiple blacklists that all say this IP address or this URL is evil, all of a sudden, now I’m a lot more interested. if you ever get to the point where every one of them are in agreement, you’ve just stumbled into the malware holy grail of an IP address that is so evil that everyone agrees that it is in fact evil.

So numerous hits is one more indicator that this is an IP address communication pair to a command and control server, or potential command and control server that I need to dig in a little bit more.

Next one, how much data is transferred? And this was one that the development team at Black Hills Information security had to convince me on. so Hannah and Lisa and Joe and Ethan, talk to me about this.

So you can’t just say how many blacklists something is on to say it’s evil. So in this scenario, we had two IP addresses that were making 31,833 connections, but the bytes transferred, that was very interesting.

See, you’re going to have internal hosts that connect to blacklist. That happens all the time, especially if you allow people to go to ads. Simply going to a website [email protected] will load advertisements, and a good number of those advertisements are actually on blacklist.

So you’re going to see hits on the blacklist. And you shouldn’t panic too much if you have an IP address that’s connecting out to a blacklist. However, if that internal IP address is transferring megs and megs and megs of data, it’s most likely at that point it’s not an ad just loading.

You’re talking about a bad guy sending and receiving data, lots of connections being made that is abnormal. So if you see a handful of connections, let’s say four or five, between an internal system going out and there’s not a lot of data transferred, well, probably shouldn’t panic all that much.

I mean, you want to watch it, but probably nothing you’re going to care about all that much. But if you see lots of connections to a blacklist and you see a large amount of data, now it’s time to panic and start digging in.

a quick note on porn, I, can’t really go too far because marketing is here. Because marketing is here. So we had, a lot of hunt teams and almost every single one of them, you’re going to have a user that’s trying to surf porn, they’re trying to go to daily motion, or they’re going to go to x Hamster or some triple x.net website.

Just so anything with us.

Sierra Ward

Give more websites, John, let’s not.

John Strand

Well, daily motion isn’t all evil. It’s not a porn site. but we actually could look at what they were trying to resolve in daily motion, in the, and the logs and bro. And yeah, they were pretty much going for porn.

so you’re going to see a lot of that.

Sierra Ward

Jason says, it’s my experience that marketing is the worst.

John Strand

Marketing is the worst.

Sierra Ward

we’re going to bad things.

John Strand

No, not even close. Not even close.

Sierra Ward

Not here.

John Strand

Not here. No. No. So, yes, you’re going to see people that go to porn, have an HR policy in place on how to deal with this immediately. Firing employees or yelling at employees tends not to be that effective.

Try to be nice when you talk to your employees. And the reason why you want to be nice is because if you’re a complete troll and you’re angry and you yell at people, they’re going to stop coming to you with problems. They’re going to try to hide even deeper.

So, please, just a quick note on porn, and then we’ll move on. Here we go.

Sierra Ward

We have a couple questions.

John Strand

Yeah, some questions.

Sierra Ward

so Steve says, how fast can bro collect data? How do you size the machine that bro is running on cpu’s ram, et cetera, for a large number?

John Strand

That is a fantastic question. And the bro website actually has full specs. Isn’t that, right, Chris? I think our specs, what we spec out, are directly copied and pasted from the bro website.

Is that. Is that right?

Chris Brenton

Yeah, that’s where we started and then built on from there.

John Strand

So they’ll tell you how many cores, how much cpu you should have. one of the things that I thought was interesting, Chris, is they don’t recommend an SSD drive. I, do recommend SSD drives.

especially whenever you’re acquiring the data, writing the data, and doing analytics on the data. An SSD drive is your first. Cool. Another question.

Sierra Ward

Ricky says we are in the process of deploying a bro monitor. Any recommendations or resources I can use to properly size my hardware for capturing and storing data.

John Strand

for capturing and storing the data. Just more. It’s an easy answer. Just more. And once again, SSD, the bro website has all kinds of specs. I think if Ethan could find that and send it to us in chat, we can get that out to people or Chris.

But, there is a website that they basically go through, and they give you all the specs on how much memory you need to have. They do it in 100 megabits to gigabit connections. And then from there on out, they’re like just keypad and cpu cores and more memory and more hard drive space.

Oh, go ahead.

Sierra Ward

Oh, no, go ahead.

John Strand

I was going to say, the other thing is, watch the, packet loss. do we have Ethan on? We should probably try to promote Ethan. so you need to watch the, packet loss.

So if bro is getting, like, single digit percentage packet loss, life is still okay. Whenever it starts getting to 20% to 30%. Packet loss. That’s a good sign that your system is probably under specced or it’s not actually configured properly.

Sierra Ward

ethan, if you have anything to say, I just promoted you into the.

John Strand

Staff, so now he can talk.

Sierra Ward

Here’s another question while he thinks about that. can you bolt Rita onto the security onion?

John Strand

Yes, actually, I think we actually have an install script that installs on the security onion, right now. that might be changing shortly, but yes, you could actually install it on the security onion instead.

In that recommendation, in that situation, what I’d recommend, stand up the security onion on one system and then stand up reta on a separate system and then rsync your bro logs over to the reta server.

That would be my recommendation for that configuration if you’re going to use the security onion.

Sierra Ward

Okay, cool. and I think that, that, we just, ethan just put it in the chat, so I just replied all. So it’s in there. yeah, so I think we’re good.

You can go ahead.

John Strand

Fantastic. So we see a lot of situations where there’s websites that look like they’re relatively benign, right? Like this hospital website. this IP address right here from confluence went back to this hospital and yeah, it was totally weird, whenever you actually went there.

I’ve tried to filter this stuff out, not because I’m trying to protect a customer, because there’s not customer data in here, but I don’t want people randomly going to these URL’s and getting compromised in the process. So if I left an IP address and you’re like, hi, got you.

I’m trying to do it for your own protection. Just be careful, playing with these websites. But yeah, you’ll see a lot of quote unquote legitimate domains that, are being used by bad guys.

spyware. Want to spend a couple of seconds talking about spyware where we’ve seen it, spyware is just weird. it’s not quite adware, it’s not quite malware. It’s usually tracking a user and also it tends to be really old.

We had this, reverse, revsci.net tracking cookie in one of our environments, that we were testing. And there was a lot of traffic going from an internal system out to this IP address.

And this particular tracking cookie, spyware was actually from 2007. Now why, when we talk about something from 2007, one of the things that I’ve noticed, and this is just a really good articulative example, is it’s not uncommon for organizations, especially nowadays to have systems in production, desktops, notebook computers that are over ten years old, it’s kind of shocking.

It was kind of shocking when I saw this, but it does happen quite a bit. So when you’re going through and you’re doing a hunt team, you’re going to see things. And this is the, DNS logs from the system.

You’re going to see things where very old tracking software and spyware is still being used in that environment. It’s still trying to connect out to the spyware server, so expect that as well.

But this also goes back to the overall category of block advertisements at, the edge of your network.

Chris Brenton

Also your biggest threat here, John, is sea levels. Because when you look at, I’ve run a number of ops teams at different companies and the people that want to be the exceptions to new laptop updates or the c levels, and they just want to image the old system, put it on the new one.

So the hardware might not be ten years old, but yeah, the OS still is.

John Strand

Yeah, they just keep all of their desktop icons and everything up to date with them. And apples kind of enable that too, right? with time machine, you take one, you take your old apple, bam, you.

Sierra Ward

Never move to another computer.

John Strand

And that’s kind of cool. But also it’s kind of sad because I like getting a new computer and it’s like, yay, a new computer. Oh, it’s just like my old one. And then they start wondering, why is it still running slow?

and they’re still shocked by that.

Sierra Ward

Josh says by sea levels you mean marketing.

John Strand

By sea levels you mean you’re just. Yeah, it’s not going to stop today. It’s just going to keep going. So compromise servers. I want to show you kind of what it looks like. I get into arguments sometimes when I say I do this, but whenever I’m doing a hunt team, if I have an IP address that is legitimately straight up weird, I will port scan that system and I will always port scan from a disposable system online.

And I want to explain why. Whenever we’re doing hunt teams, a lot of times people ask questions, well, what is the server doing? Why are they serving this stuff up?

This looks like it’s a legitimate website. Is there malware on this website? So this is a server that had a web server that was running and it just screams exploit. It has ad 443 open.

We got info wave radsec new net, NBX server. But the big port that jumped out at me was 22, 22 and that is a very well known backdoor port that I use in every sans class I teach.

But you start seeing backdoor ports like that, or 4444, it’s usually an indication that there’s something sketchy and also its database is exposed to the open Internet. I don’t go any further than this.

I won’t actually try to exploit the server, I won’t try to access the backdoor port and I won’t try to take over the system because that’s kind of getting a bit weird. But it is interesting to me like how consistent a lot of these third party websites that get compromised look when they’re being used for command and control.

The reason why is bad guys, we can go back to the DoD analogy. Bad guys don’t want like let’s say you’re working in, do you don’t want to have your malware connect back to you at a DoD network?

No, that’s crazy. you would want to take over somebody else’s system and then have your malware connect back to that trusted computer system. And that’s ultimately what it looks like.

Now we can get into arguments about whether or not this is crossing any lines. but I wanted to bring it up for discussion purposes. The only thing I would say is, from my perspective, don’t try to make a connection or a port scan directly from your network.

When researching a potentially malicious IP address. Stand up a server someplace else, do what you got to do, and then kill that server and just eradicate it. Don’t keep that server up and running any longer than you absolutely have to.

speaking of compromised, systems, crypto mining is the new hotness. We’ve been talking about this on Enterprise security weekly and some of our webcasts so far. But you’re seeing a lot of websites.

I know pirate Banks was hosting coin Hive and simply visiting their website loads JavaScript that does the crypto mining in your browser. So when we’re working with customers, it’s not uncommon for them to have like 93 instances of chrome running on their system.

And that’s basically just spinning off multiple different crypto miners in their environment. So this was a situation where we had a server that had ssh that was open. It also had 8000 open and port 8080.

And if you connected to port 8080 on a URL list, it came back with the number of workers, their IP addresses and what power utilization they were.

So yes, we’re seeing this now. And what’s interesting is this doesn’t show up as like malware and ids IPS systems yet. I don’t quite know why the signatures aren’t up to date.

I think it’s probably because it’s using HTTPs. Also, when you’re doing the hunt team and you start looking at the endpoint, a lot of hunters will look at the system and say, well, it’s just Chrome.

Chrome’s doing its thing and there’s no concern. It’s not like a brand new evil backdoor exe that’s on the box. It’s merely just doing cryptocurrency. And there’s also been some interesting opinions on cryptocurrency.

It’s like, well, it’s not that bad. It’s much better than ransomware. So let’s just take our lumps and be happy that the bad guys are using coin hive or they’re using some type of miner for ethereum or monero or bitcoin, in the browser instead of taking over our entire network.

That’s your call. That’s honestly, that’s your call how you want to look at that. But we’re seeing that traffic show up in a lot of our hunts as well. I want to give you some online resources that I like.

IP URL avoid is just a place that I go to constantly put in an IP address, tells me how many blacklist it shows up. It’s all linked, so I can click very quickly and easily and I can jump to other websites and get their reasonings for the reputation.

IP address I mentioned virtual hosting. Excuse me. I can see what hosts, are on that particular IP address and I can see if any of them are known to be evil in this situation.

Not really for the URL’s. There’s one down below at 678, but it gives me a good overview on the system and the IP address that I’m looking for. This is the central repository, and then I’ll jump to other servers as the data comes up.

Up next, one BGP ASN ranking. this is something that we’re going to be adding into Rita, shortly. But all of the IP addresses that you go to, they go to a network neighborhood or ASN number, and you can find out which one of those asns are probably bad neighborhoods.

So the fine people at the computer incident Response center in Luxembourg, they have a fantastic breakdown of all the different IP addresses that are on blacklist and then cross referencing those to asns and it’ll let whether or not, that is a bad neighborhood.

So that’s cool. So if you have an IP address that’s going somewhere that appears sketchy, but the IP address itself is not showing up on any blacklist. You can actually check that IP address, see what ASN it’s on, and then you can see if that ASN is known to be a bad neighborhood with malicious entries.

Also, Shodan, Shodan is so huge, for doing hunt teams because they’re going through and they’re indexing service banners for like web servers, FTP servers, servers.

And when you’re doing research, you want to be able to get as much information about a particular IP address without actually connecting to it. earlier I ran NMaP, sure, but I only do that if it doesn’t show up in Shodan or someplace like Punkspider.

So this allows you to query what is that server doing? What are the services on that particular server? Is it possible it’s running like iis version six and it could be a compromised server. A lot of that you can deduce by going to Shodan and pulling their cached information without actually touching the server directly.

Also, Punkspider is back. Punkspider is one of my favorite websites. They were basically scanning the entire Internet, looking for, vulnerabilities.

They were actually scanning for cross site scripting, SQL injection, command injection, blind SQL injection across the entire Internet. Now we can get into questions as to whether or not that’s legal. It was interesting, they actually got some DARPA funding.

They went offline for a period of time and then they came back. The new version of Punkspider, it basically does the queries looking for vulnerabilities, but it also does port information and map scripting services products.

And then you can also filter it down by countries as well. So great resource to see. Well, maybe there’s an easy to exploit SQL injection vulnerability on this one website that my users, or one of my users is connecting to regularly.

And you can look at it and say, aha. yes. When we looked at this particular server, there’s definitely a SQL injection vulnerability on it. We checked Shodan. There’s ports and services exposed that are exploitable.

Ran an NMAP scan and it looks like it’s running a backdoor port on it. So that allows you to tie together and put together a really nice picture for, doing the hunt and figuring out exactly what’s going on.

So conclusions? detecting command and control is getting harder and harder and harder. Harbor. We released Rita to help detect these backdoors and part of the reason why is because a lot of our backdoors and the techniques that we were using, honestly, they weren’t being detected in many organizations.

So whenever you’re doing a pen test, you don’t want to go to a customer and say, well, yep, sucks to be you. There’s no way to detect this. That’s just the wrong answer. You want to give people at least something that they can start doing analysis on, and Rita is free.

also, we’ve got a patent on the frequency analysis, and Rita will always be free, and the patent will be part of rita. we’re going to try to keep it in Rita as much as possible.

Excuse me. So we’re trying to keep that free and give it to the public because Paul and I. And Paul’s on. I probably just talked to him while he’s got food in his mouth. but Paul and I have been treated so well.

There he is. Paul and I have been treated so well by the community. It’s kind of our way of giving something back to the community that, people can always use. There’s, a lot of free resources online that you can use.

This is an hour. I just, we try to do 50 minutes of webcast. There’s a lot more that we could do with this as well. Ultimately, it requires a little bit of digging, and Rita was designed to try to cut through the noise of bro logs and make it a little bit easier and create a much smaller set for a junior analyst to start going through as well.

So this goes back to housekeeping. So, with that, I want to say thank you, and we’ll throw it over to questions before we turn over to the active countermeasures AI hunter side of the presentation.

So we got any questions?

Sierra Ward

well, we don’t have any questions now, so go ahead and enter those if you want to. a couple people brought up some good. There was a blog post, how to build a non attributable system by Bo.

John Strand

Yep, that was on our website. Did you share that out, too?

Chris Brenton

Yeah.

John Strand

Okay, cool.

Sierra Ward

Somebody shared the link for our blog post.

John Strand

I find it interesting. We’re, like, talking about hunt teaming, and they’re like, like, so, how exactly do I go about creating a perfectly non attributable system for doing my shenanigans online? so awesome.

Sierra Ward

Okay. Question, for John from Jeff Majunkin.

John Strand

I like Jeff a lot.

Sierra Ward

Yes.

John Strand

Newly certified sans instructor.

Sierra Ward

Nice. What happened to Johnstrand versus Johnstrand.com dot.

John Strand

John Strand versus John Strand.

Sierra Ward

Did John Strand sue you?

John Strand

No, John Strand, the real John Strand on Twitter did not sue me. I am. But the male model, John Strand.

Sierra Ward

does he have at John Strand?

John Strand

he does not. He does not.

Sierra Ward

Who owns that John Strand?

Paul Asadoorian

I thought. I thought Larry hacked John Strand versus John Strand and basically rigged the election.

John Strand

He did rig the election. So the male model won.

Sierra Ward

Well, that probably made the male model very happy because he hates that he.

John Strand

Yeah, I don’t think he likes me very much. And I wish him nothing but the best in his career for underwear modeling, which sometimes he’s not even wearing.

Paul Asadoorian

I had that example because every time someone says, hey, we should create, like, a poll or something for our listeners to interact with. And I’m always like, yeah, dude, someone’s going to hack it.

And they’re like, get out. I’m like, someone hacked John Strand versus John Strand. Just throwing that out there like, it’s never fair. When we ask people to vote, it becomes not about who people are voting for, but whoever can hack it and what they think.

John Strand

Some people just want to watch the world burn. And we’ve talked about it. I think one of the, like, years ago, you shared with me logs on the security weekly web server. And you’re like, here’s our logs. This is how many times we’re attacked today.

I guarantee you it’s terrible.

Sierra Ward

Watching ours is awful.

John Strand

you put on security Weekly and you see how many times it’s attacked, and then all of a sudden we’re like, here’s a poll for people to interact with. We’re hosed.

Sierra Ward

So Tim has a question. Is Rita modular? And if so, would it be worth writing a plugin for it to ingest VPC flow logs from aws?

John Strand

If you want to. Absolutely. It’s all free. It’s out on GitHub. so if you want to add a module that does that, I think we would love that. you just put in a pull request and, look into it.

But yes, all the code is available and it’s out there.

Sierra Ward

Okay, Justin, has a question. What’s the suggested reporting frequency for this? Assuming that we need to export data and then import data into this, would you recommend this to be a daily occurrence?

Chris Brenton

Weekly?

John Strand

I, would recommend, I would recommend at this point, whenever we’re talking about hunting me, because it is something that is relatively new that you do it once a month. And the reason why I come up with once a month is whenever we do a hunt team, let’s say I spend a week going through the data and then I send it to the customer.

The customer usually takes about a week to two weeks to parse through that data, figure out what was going on, and then start shutting off those doors before they can start again. So that cycle is not quite, there and it takes longer when you start.

So I would recommend, let’s look at this as you do vulnerability assessments once a month. Month. Now, of course there’s going to be people like, what about continuous vulnerability assessment? Yes, that’s great. In an ideal world, you have time, but.

Yeah, but the vast majority of people just aren’t there and the products and the vendors aren’t there yet at all for vulnerability analysis. So let’s look at this as a tactical thing that you do once a month that requires a human being to interact with it.

And Paul is going to talk a little bit about artificial intelligence coupled with a human being. We use this narrative all the time, but that’s what we’re trying to do. We’re trying to create artificial intelligence tools and read to put this data in front of you as a human being so that you can do something brilliant with it.

Sierra Ward

I thought Rita was going to be discussed more. Maybe it was wrong. Is there other resources for Rita?

John Strand

Yes, we have tons of videos on Rita. If you go to our blog and just do a search on Rita, we probably have like 1015 and we’ve.

Sierra Ward

Done some webcasts on.

John Strand

Yeah, we’ve done webcasts on them. So there’s lots and lots and lots of them. In fact, I could just do that right now.

Sierra Ward

How does Rita play with azure?

John Strand

it can install anywhere where you can actually do a sniff or span port. And I can throw that over to Chris real quick while I’m pulling up black Hills info sac here. Real quick.

Sierra Ward

Chris is still on, rachel said, oh, read AI. It’s happening soon.

John Strand

Yes, it is happening soon. It is happening soon.

Sierra Ward

Stay tuned if you can.

John Strand

It is happening.

Sierra Ward

Sorry, Chris, go ahead.

Chris Brenton

Oh, no, I was just going to say, I’ve actually never tried that on azure. I know for a fact it works on Amazon. but never tried it on the azure side.

John Strand

So I’m just going to our blog, which. This is horrible, Sierra. It’s getting to the point where if I’m trying, if I’m trying to figure something out, it’s like, how do I do? We did a blog post on it.

so if you go to our blog and you do a search on Rita, it’s a good kind of horrible. we have, let’s go hunting. How to hunt command and control using bro ids and reto webcast on Rita. and owe it to my mom, which is a bit different.

Merida, apparently that shows up there as well. But, we have blogs and things associated with Rita. so please, please, please check that out. Paul and I have done, Derbycon talks on Rita as well.

So there’s lots of information on Rita, and we have the git repository, too.

Sierra Ward

is Rita anything like squirrel?

John Strand

Is Rita anything like squirrel? Squirrel actually does endpoint analysis, and, it actually pulls a whole bunch of data into a centralized database, and you can query across the entire environment.

So, yes, on the network side, it’s doing that type of hunting because I know squirrel does some beaconing analysis without.

Chris Brenton

Having no SQL commands.

John Strand

Yes, that’s a good point. You don’t have to know SQL to use Rita. we love squirrel. I think it’s a great product, but, you do have to write SQL commands to query data out of it, and it makes things a little bit tougher.

Sierra Ward

Okay. there was can. Yeah, there’s some more Rita questions, but do you want to go into that or should we?

John Strand

Let’s do one more, and then we’re going to get started with the rest of it. We got to give people a little bit of pause break.

Sierra Ward

Okay, so the last one we’ll do can rita. Sparse suricata JSON eve log.

John Strand

So that’s a bit different with saracota logs that are coming in. That’s kind of in the same vein as, like, an elk statue. It does not parse those. The only thing it parses is bro. and the reason why is we have to stick with one intrusion detection.

Well, a network flow analysis tool for the sake of consistency. But once again, it is an open source product, and if somebody wants to write a plugin for it, that would be awesome. We would absolutely love that.

But we don’t see Sarakata being used on network analysis anywhere near as much as we do for bro.

Sierra Ward

Okay, so if you need to leave, that’s totally okay. We are recording this. So, I know that some of you only have an hour you can spend on our webcast. We are going to start our demo, though.

So if you are able to stay, that would be awesome. And we will go ahead with that.

John Strand

Very cool. All right. so once again, final disclaimer. We’re going to move into a product that is for sale. we like to do separate those things out as much as possible. We just got done talking about free and open source things.

That’s Rita. Now we’re going to be talking about something that we’ve been working on for the better part of two years. Active, countermeasures. AI hunter and I have Paul on with me. Paul has been there from the beginning, when we first started talking about this a long, long, long time ago, and I convinced him to quit tenable and start doing his own thing and come help us out.

And then Chris Brenton is also on. And Chris, because Paul and I are crazy in a thousand different directions, has really taken over and driven this thing and gotten it through.

And without Chris, it would not be here. Here. but also on top of that, we have amazing developers. We have Ethan, we have Melissa, we have Joe, we have Lisa, we have Sam, we have Hannah. We have Ben Lebron.

I know I’m forgetting some people here, and I apologize profusely for that. But, Lawrence would be in this category because he was there at the very beginning. So this has been a long, long time, to get it to the point where we have a product that we can show you guys today.

yes, it’s finally done. Now, Paul, you had a couple of things that you wanted to talk about. do you want to talk about that now with AI hunter, or do you want me just to do the demo and talk about it? Go ahead.

Paul Asadoorian

Well, I’d love to, because I’m so excited. So, earlier today, John and I were talking about the problem that we solve. and Chris, John and I have been having this kind of ongoing discussion, in various capacities.

And I really think, well, first of all, I’m excited to get this in the hands of, our tribe, so to speak, so that we can get feedback and really try to understand.

So what problems are we solving for you? what did you like? What didn’t you like? and I know Chris is very. And John are both very passionate about that as well. If I think about it seemingly as an outsider looking in, not staring over your shoulder, every day as you do your work, I, really think the problem is we rely on too many unreliable sources of security data.

Now, there’s a lot of other issues and problems that we talk about in our workplace, but I think it all hinges on this pedestal of we’re relying on way too many unreliable sources in order to make decisions in any given day.

And I think that when we rely on these unreliable sources, there’s, like, three other problems that it brings about like, we either don’t have the right skills to be able to use this data to make intelligent decisions.

We also run out of time, and we’re not able to parse through all of these different sources to get to the stuff that matters. And we’d run out of time. And then it’s the accuracy, of that information that’s also problematic.

And I think that’s why, John and I, and also Chris created, what we’ve created is because we’re frustrated with all of the different solutions. I mean, I tend to put them into buckets, such as logs, network, data, threat intelligence, and endpoints.

And we all can get varying levels of information from all those sources. But if the three of us, John, Chris, myself, had to pick one, I think that source would be the network.

And if we had to look for something, I think it would be stuff that’s already been compromised. And if we have even just that one reliable source that we can make decisions on, it makes your job so much easier.

so let’s. John, Chris, I don’t know if you want to kind of chime in on any of those points.

John Strand

Chris, I’ll throw it over to you before I start doing the walkthrough.

Chris Brenton

Yeah. The biggest thing for me is it’s got to be easy enough for a junior analyst to do it. I’ve run a couple of shops, and inevitably what you run into is you have one, maybe two guru type folks that you can cut loose on a problem to really run it to ground.

But if they can’t document it and automate it and make it simple enough for a junior analyst to take it on, it isn’t going to happen on a regular basis. So, I mean, that was one of the things that really excited me about this the most, was that I looked at this as something that, wow, this is something you could give to the average security problem person.

Not a Paul, not a John, not somebody who lives and breathes this, but somebody just does it as a job, and they’re going to actually be able to be effective at figuring out what’s going on.

John Strand

Yep. All right, guys, are we ready?

Chris Brenton

Let’s do it.

Paul Asadoorian

Let’s do it.

John Strand

so I want to go over a couple of different deployment options. when we’re talking about how this integrates with rita and bro, as I said, rita is the engine, it generates the database. AI hunter is the visualization platform.

you can do it all on one system, or you can do bro and read on one system and AI hunter on another system, we have an install script and I think sierra, the video of the install instructions is live.

Sierra Ward

Yes, it’s at the, I will get a link for you.

John Strand

Okay, very good. And I’m just going to say this, more memory is always a good idea. we’re doing large scale data analytics. Memory is your friend. So a cpu cores as well.

So all in one, you would install broreta AI hunter. Now, for most organizations, I would not recommend this build. and the reason why is if you do it all in one, you start to get into some resources.

With Rita doing its analytics and AI hunter trying to be the front end and shared, it can create issues. But this particular deployment works great if you’re a consultant. If you’re a consultant and you sniff data for 24 hours with bro, and then you have Rita do the analytics, and then you use AI hunter, that works great for you.

So if you’re a consultant, you’re traveling around and you’re just doing this one offs, then this particular approach would work for you. The vast majority of the approaches will look like this. It’ll be pre network address translation.

We’re going to have bro and Rita, which are free, and the install script will automatically install bro and Rita for you on one system. And then it shovels the data once a day over to AI hunter, which visualizes that data and makes it a lot easier for you to actually parse through it as well.

So I want to show you guys, what it looks like right here. so this is a demo system that I’ve been playing with. so if I can move the gotowebinar thing, which is currently in the way of me not being able to access, get out of the way.

so we start out and we can click the little gears, and these are the data sets that are loaded now. Whenever Rita and, bro run, they’re going to kick off datasets with different very unique names.

We have names that are very specific for us to do demonstrations. So the first one I want to do is versus agent. I’ve got that selected and I can go to beacons, and I want to show you what a beacon actually looks like, on the wire, and how it’s pretty easy to identify a beacon that’s happening on a network.

So in this situation, the first thing that should draw your attention is at the bottom we have a whole bunch of connections that are happening over a 24 hours period. And on the bottom we have the time, and on the left hand side we have the connection.

That very flat histogram is a very strong indicator of a consistent heartbeat happening in an environment. I can also change the fidelity of it from hourly to 30 minutes to 15 minutes to five minutes and it’ll basically show you that type of resolution.

The other thing is over here we have the intervals. All right, so ten second intervals. We have almost 8000 connections that happen at a very consistent heartbeat or an interval.

There was a few that were over here at 11 seconds. As we talked about. That cluster pattern isn’t always accurate. That’s why k means clustering is so valuable because it allows for a little bit of wiggle room.

Now the chart that’s in the middle is the timestamp interval. It shows you the dispersion, the skew, the duration and the data size. The closer it gets all the way around the more perfect that beacon in terms of dispersion or skew or duration or data size actually is.

But we can also go a little bit further. Instead of just looking at it in timestamp interval, we can also flip it around and we can look at it in data size. Now we look at it in data size. The time still shows on the bottom and the connection count shows on the bottom.

But this upper right hand quadrant changes instead. It shows you what are the number of bytes that were sent. And you can see that we have a very consistent graph here, over 8000 connections that were made and they all had the exact same data size.

So that is a very clean indication to find a to find a beacon in your network. And versus agent is a really good beacon for that. Now I also want to show before I do, Chris, am I missing anything on beaconing with versus agent before I move on to DNS?

Chris Brenton

So actually from a manager’s perspective, who wants to be able to like automate this with my team? You miss my number one which is the IP address list on the left. That’s your action item list.

So start at the top, start working your way down.

John Strand

Oh, and that brings up another good point. so this one without question is malware. This guy right here, this ten, 234, 234. 101. that’s still going to my digitalocean system.

We have one that’s going to Microsoft. Now Microsoft will look like a beacon from time to time. and let’s say you just want to filter out all Microsoft traffic because updates can kind of look like beacons.

Well you can just simply hit the plus and you can whitelist out that ring, that Cidr range or you can whitelist out the ASN and the organization as well. So remember I talked about filtering things out and kind of setting it up to the point where you can go through and this gets faster and faster each time, but the first time is kind of house cleaning.

Yes, you can go through and filter out certain things that are whitelisted. So we’ll see a lot of like syslog traffic leaving an environment. one of the ones that we see all, every, every time are security appliances.

you’ll have like your your email filter. Every single time your email filter is reviewing an email it’s going to do a validation on an IP address. And that IP address may m be evil.

It’s going to be checking for updates. So you’re going to want to be able to filter out those IP addresses on the inside of the network and possibly on the outside of the network. So yes, you have your action item list on the left hand side and it makes it very easy to say, well this is Microsoft and we want to whitelist this and I don’t want to see it anymore because I want to focus on the system that are actual bad guys, like this digitalocean versus agent computer system.

Cool. Did I hit that right, Chris?

Chris Brenton

Yeah, you did. Just there’s also the sort option for the list of ips, but the biggest one is which IP addresses are most likely to be evil within my environment, which is the default sort option.

Just start at the top of the list, work your way down and start sorting.

John Strand

So we allow you to sort on the overall score, the dispersion. Remember I talked about that bell curve, right. And we also can sort on duration and interval and data size.

So all the things that we were talking about that you need to review, you can actually sort it and then relook at your IP addresses in completely different ways. And this gets into something that Paul talks about all the time.

Whenever we’re trying to look at artificial intelligence right now, everyone wants artificial intelligence to do their job for them. What we can do is we can couple artificial intelligence algorithms, do good data visualization, couple that with a human being.

As Chris mentioned, a junior analyst can now look at this data and to write a script that would be able to find beaconing, look at the data size, sort out all of the systems based on data size and beaconing out of brologs for a 24 hours period.

That’s someone that’s very, very advanced in their skill set. This is something you can put in front of an analyst and they can start using it right away. All right, so let’s move on to another data set.

DNS Cat is always one of our favorites. So load DNS cat and DNS cat. If I go to the DNS data, it’s the nanobot ninjas example that I talked about earlier, that we have 30,000 subdomains associated with it.

Now the reason why tools like DNS cat are really difficult to detect, I’m going to jump over to blacklisted here real quick, is they don’t use quote unquote known evil IP addresses, addresses.

So in this situation we have an IP address of eight dot, eight dot, eight dot, eight. That’s Google’s DNS server, right? That’s not evil in most situations. Now we actually put it down as a blacklisted server because you shouldn’t have your internal workstations connecting to Google’s DNS server every day.

That really just shouldn’t happen. They should be going through the domain controller, through properly vetted DNS servers in order to get resolution for host names online.

And in this situation you can see that we have 1201 unique connections and the number of bytes transferred is a lot. I don’t quite know what that number is, but it’s a lot of data that was transferred, in this particular scenario.

So let me go back and I want to show you the last one. I got super excited when this happened. GCAT GcAD, is a backdoor that we wrote at Black Hills information security that uses, Google mail as its command and control server.

so in this data set, we let it run with a whole bunch of other servers that were connecting a whole bunch of other systems that were connecting out. here we have Amazon. I haven’t filtered out the whitelist for like Amazon and Microsoft, but it did pick up GCAt as one of the top beaconers.

Now why is this cool and why should you care? Well, when GCAT was first written and eventually taken over by bite bleeder, we discovered that almost every single security appliance on the face of the planet completely ignores anything that’s going to Google.

And that starts to make sense the more you think about it. Because if you’re trying to look for command and control, you’re looking for command line arguments. That means you’re watching Google for command line arguments, that means every time a systems administrator or security professional tries to google a command line argument, it means that an alert is going to go off.

So it’s best just to ignore Google. If you start watching Gmail traffic going back and forth. Well, there’s a lot of email traffic in organizations over Gmail, and that’s going to incur a high penalty.

So most organizations just flat out ignore everything that’s going to google. So we use a backdoor that does that. Now, I was really, really shocked, because we didn’t know how AI hunter and Rita would do with google, backdoors for Gmail.

And lo and behold, it actually worked. So here we have a connection account. We have the number of seconds. It’s a very, very tight connection pattern we have when these connections happened down here at the bottom.

But notice it’s not absolutely perfect. It’s close to perfect. It’s 98.79, but it’s not absolutely perfect. But it was high enough to be one of the systems. And as Chris mentioned, your action item list to look into.

But if we flip it to data size, the data size is very, very consistent with the number of bytes that are being sent to Google and the number of connections that were being made. So, as I mentioned, when we first created Rita and then we created AI Hunter, the goal was to create something that could detect the backdoors that we use all the time in our penetration tests, but do it in such a way that it’s not signature based in its detection, because, as Paul mentioned, with the trust statement at the beginning of the problem, if we put too much trust into automation, we put too much trust into that single pane of glass.

Well, that’s chasing the magic unicorn we’ve been chasing for 20 years in this industry. It hasn’t happened. Where instead, we can come up with a product that a junior analyst can look at data and make a determination about what’s going on in an environment, whether it needs to be investigated further or not.

And we think that that’s a lot more powerful. So we’re taking that curve, the amount of knowledge that you need to have for, like, scripting data analytics databases, and we’re trying to make it so it’s visualized easily.

And a lot of the artificial intelligence using k means clustering. And Rita is already done. So we’re moving that junior analyst up the curve where they can start hunting effectively without having to go to a class that’s a week long, and then spend the next two, three months learning all the stuff in that class, and then spend the next year trying to get efficient at scripting.

That doesn’t mean that there’s not value in that. There’s a tremendous amount of value on that. But right now, we have a skill shortage. In this industry and we’re trying to find good people and there’s only so many people that have those amazing skills to go around.

This allows the more junior analysts to be effective in their job as network based threat hunters. So I wanted to say once again, thank, you so much for coming.

And if I go to active countermeasures, I want to walk through the website.

Chris Brenton

Can I just toss in one more thing, Joe? So one, thing I do want to point out is that as you’re going through and you’re looking at these systems that could potentially be beaconing, not once are you mentioning source operating system.

In other words, when we’ve dealt with this in the past, you’re usually tied to like, oh yeah, you can find it on Windows, but we don’t have an agent for the Mac or we don’t have an agent for your hardware appliance or Linux or whatever.

One of the nice things about going to this at a network level is this could be a Cisco router that’s been compromised, that’s beaconing out, that there’s no software that would help you find it on the box itself.

But by looking at the network, these patterns stick out like so, or thumb.

John Strand

I love that analogy of not needing to have an agent. Right. Because there’s all these different plugins that if you got your IoT device, well, we’ve got plugins for that. Well, the plugin doesn’t install on this particular Iot device or that operating system.

And as paul mentioned at the beginning, network doesn’t lie. well, it can lie, but we can, it’s not like we’re relying on it.

Chris Brenton

Yeah. my first thought was when Paul compromises your refrigerator, you’ll be able to catch it with this.

John Strand

Well, it sucks because he has the same refrigerator and I’ll be able to. That’s a whole. And what we have going on.

Sierra Ward

We have some questions.

John Strand

Yeah, we have some questions. Go ahead.

Sierra Ward

Okay, so Carrot says, where is the metadata pulling from the destination ips.

John Strand

so the metadata, it’s interesting. What the metadata does is we take the bro logs and there is the destination IP addresses in those. But if we actually look at what bro logs look like, like, let me go back to our presentation.

Bro logs look like this. Okay. So that is where the raw source is going to come from. This is a DNS log from bro. And you can see that we have an internal IP address.

that’s basically doing resolution. We have a ten. 234 234. 105 is connecting out to eight dot eight dot eight dot eight. That’s Google’s DNS server to do resolution for cat dot nanobot dot ninja.

So that’s where the actual raw data comes from. But then we filter that out through Rita. So it’ll actually do the counts, it’ll actually do the analytics, it’ll do the k means clustering. And then we sync up the Rita raw output and the bro logs to AI hunter so we can actually query that data for you and have it up in the Mongo database with AI hunter.

Sierra Ward

Cool. and Michael says, can AI hunter be installed on a cloud system that will receive data from multiple other systems located on customer platform?

John Strand

Yes, it can, absolutely. But this gets back into the sizing, issue when you’re having more Rita instances show, up, and what it’s going to look like is like this. So if you have multiple, Rita instances feeding data into an AI hunter instance, you’re actually going to see their data set show up here as separate discrete data sets.

So yes, you can actually have multiple reada instances where you install the agent and drop it. That’s data upload. If you want to install the agent on multiple Rita instances, you can.

And then also the install script can handle that as well. So yes, you can do that, but make sure that your AI hunter system actually has enough resources to handle those Rita servers.

Submitting. This is the old demo server. Sierra’s chewing my butt because it says offensive countermeasures. So I did the demo of how to install. Okay, so I did the demo this morning.

Sierra Ward

It’s, not available right now. We had some problems with it, but we will remake it this afternoon and put it up.

John Strand

No, the video.

Sierra Ward

No, there were some problems with it.

John Strand

So anyway, I had problems with the video. I got to redo it all over again.

Sierra Ward

Yes, you do. Sorry.

John Strand

Oh, okay. Anyway, she’s moving right along.

Sierra Ward

Other questions? sorry. Filtering through them, Ian asks, will this be able to link with securityonion bro data?

John Strand

Yes, you can actually take the bro data directly out of securityonion, sync it over to Rita, it’ll do the analysis, and then feed it up to aihunt.

Sierra Ward

and Tim asks, can you see the contents of the packets in the UI?

John Strand

No, you can’t. and there’s a couple of reasons why we went away from that. If we actually got down into raw packet contents, the vast majority of times, whenever you’re looking at raw packet data and backdoors, it’s encrypted.

so there’s been less and less utility in that particular vein for a long time. And as Chris mentioned, we’re trying to get this in the hands of having analysts that can actually use it, that they wouldn’t even know what the packet data was.

So we’re looking at the behavioral analysis, not the raw packets, looking for signatures.

Sierra Ward

someone clarified, the demo is there. It’s the installation.

John Strand

The installation video. I had to go check. I’m like, okay, my videos are still there. It’s just the one that I did this morning at 03:00 a.m. Yeah, okay.

Sierra Ward

It was 03:00 a.m. so, okay. Is there any reporting in AI hunter right now?

John Strand

No. and that’s one of the things, as Paul mentioned at the beginning, we want people to tell us what you want next, and if you want reporting. Yes. we had a lot of conversations about how we want that to go.

Chris had some good ideas about integrating with slack. So you can basically give it a slack channel that it can just dump the information directly into. So your soc can actually work within slack. So, if you have it, let us know what you want to do.

We’re a very small, very agile team. We’ll start moving whatever directions our customers ask us to do.

Sierra Ward

Okay, Garrett wanted some clarification. So, the destination ips are coming from bro, but where is the ASN and.

John Strand

CCR range coming from? Oh, that’s a completely different. We’re actually downloading the ASN.

Sierra Ward

I didn’t ask it.

John Strand

Right. Yeah, that’s okay. so all that information is coming from the Internet. There’s a whole bunch of places online where you can download the ASNs and where they are currently. Like, Maxmind has it. There’s tons of places where you can get the published ASN network ranges and organizations that have that data.

So, yes, all that’s coming from, like, the ASN, I think that gets updated, like, two, three times a week. ASN responsibilities. So we’re downloading that, and then we’re cross referencing it with the data that we get from bro, and all that’s happening in the background.

Sierra Ward

And David, was clarifying. So if he has bro and Rita, does he get all this functionality? but this is just a more technical aspect of that.

John Strand

Bro and Rita will get you this. So bro and Rita will get you this, back end and kind of this basic front end that we have here. Here, this is bro, this is Rita.

and this is the 504 VM that I showed you. this is what you get now you can take that raw data and you can actually export it into an access database and you can do your own pivot views with the AI hunter, this front end that we have, this is what we’re actually charging for.

the views and the quick ability to pull up beacons and analytics and stuff. So Rita itself, like I mentioned, will always be free. But the AI hunter with the front end, the graphics, the visualizations, this is what we’re actually charging for.

Sierra Ward

Okay. and okay, so then Michael has another question. Is the pricing per install or can it be bought once and installed many times?

John Strand

right now what it is is you can install it, as many times as you want, so you can have multiple. And let me explain why we did it that way. Okay, so Rita, like, if you look at a lot of security appliance vendors that are out there, they send you a device, and if you want to do something, you got to install this device in a certain location.

And if you want to have multiple locations, you got to buy multiple devices. However, what we’re trying to do is more like the snort source fire model you have. Rita, is a core engine, and you can install that wherever you want it to go.

And AI hunter is the nice visualization that really cuts down the amount of time that you have to do on a hunt. So yes, Rita will be free, install it in lots of places and then link it up with AI hunter that you can deploy in the cloud or you can deploy locally.

Sierra Ward

and David says, are there any plans to make this something that can ingest other vendor ids at, this point?

John Strand

No, because I went down that road and I had multiple developers, start up varying addictions to various alcoholic beverages. so it’s not an issue of just import Cisco, you got to import Cisco iOS, each point version, and then you got Cisco firepower and all their versions.

And then we had issues with Palo Alto. So where it started logging at the beginning of a session for half the day, and then it started logging the session time at the end of the session. It was an absolute nightmare.

I do know that Chris and Bill Stearns are currently looking at how can we actually hook into sims and pull different netflow data from other vendors that is more consistent? But that’s a stepping stone, right?

Right. Now, this is a tactical tool that your team can use. And we’ve got priced as such. If you honestly look at the price associated with this, it’s actually cheaper than the task you would spend on a lot of the other products that are out there right now.

Sierra Ward

so then there’s some questions about the pricing, so I guess we’ll go into those.

John Strand

yep.

Sierra Ward

Duran says, is the support and subscription add on an annual subscription or is it a one time purchase?

John Strand

The support and subscription is an annual subscription. So you got the one time fee of 4999. And then as we come up with updates and people are like, yes, I want to have reporting, great, that’s now added. I want to have additional features added into it.

It. As we start releasing each individual release, that support subscription gets you access to all of those updates for a year, for 1999, then on top of it, next year, if we keep on coming up with, like new versions, this is what you will pay for ongoing maintenance per year.

Sierra Ward

and Tony has the question, are there any license issues for data size processes per day?

John Strand

No, we tried to go down that path, and Paul may want to speak to this, he also may not want to speak to this because this is something that we were wrestling with. a lot of vendors right now will say, okay, this is all in the cloud.

If you have 19 gigs of data, we’re going to charge you a bazillion dollars, for the product. No, that was kind of a rough model to go down because of tracking and analytics, looking into people’s data sets, pulling all that telemetry back in, it started making us feel really, really uncomfortable.

now when you start increasing the data, the most important thing is make sure that your server can actually support it as well. And it’s already hard enough for people to get hardware and things in place in their environment.

We didn’t want to add in some kind of weird data pricing tier on top of it as well.

Chris Brenton

can I actually, stress that one too, a little bit? so another part of this too for me is we’re not looking to splash this out there, cash out, buy a boat and be done.

So we’re not looking to price gouge customers as much as we can. One of the things that we’ve kind of talked about a lot is, is we have some ideas that we think are going to make people’s lives much easier in secure.

Want to execute on those. Sometimes it takes a little bit of money to make sure you can maintain a proper development team and a support team in order to be able to get that stuff done. So when you start looking at the pricing, we want to be able to grow this, we want to be able to do cool things with it.

We’re not looking to empty everybody’s wallet stuff like charging extra for. I want to have three Rita systems instead of just one.

We’re not going to charge for that. We’re just not going down that road.

Sierra Ward

Well, Tim M. Asks, does AI hunter preserve the state of the bro logs for manual analysis?

John Strand

It’s, actually loaded up into the mongo database. So it is there and it’s not destructive. So if you want to go back to Rita and go to the system that has the bro logs, the bro logs are still there.

Sierra Ward

there’s been a lot of comments from people that say, like, this is a totally reasonable price, and they think that maybe this is a typo because this seems too good to be true. That’s right, guys.

John Strand

Yeah, we fought over the price for quite a while, and as Chris mentioned, look, we’ve got a lot we want to do. and Paul will talk to this, too. We got a lot of places we want to go. There’s a bunch more things like, look, Chris, Chris shut me down, at some point.

I have a lot more things that I wanted to do.

Sierra Ward

Can’t do all the things.

John Strand

Can’t do all the things. And we had to start somewhere. And this is basically going to get it towards inexpensive enough for teams to start using it, get value out of it. It. And then we can start funding, moving forward with adding in additional features.

Because right now, we’ve been funding this for two years now, and we need to get some funding coming in, and then we can start doing those cool things and start, with a reasonable price for people to work with and keep adding in awesome features.

Chris Brenton

And also that you’re in the security and you’re good to go. Programming. we may be looking to ramp up soon.

Sierra Ward

You’re going to get like 50 resumes.

John Strand

Yep. Yep. Right now, which is fine.

Chris Brenton

Chris at activecloud countermeasures.com. go for it.

Sierra Ward

okay, so a couple more questions. David says, do you provide assistance with installing Rita and bro as well? If needed?

John Strand

Yeah. The user guide actually walks you through step by step, exactly what you should do. And soon we’ll have a video. I think I just found out what the problem was, but, we’ll have a video up that does full walkthroughs.

It’s literally downloading, unzipping a file, and then running an installer. it’s a pretty easy process, all told. But yes, somebody has any problems if they can’t get it with the video, they can’t get it with the instructions.

Shoot us an email. I think it’s supportivecountermeasures.com and we can assist.

Sierra Ward

are there any trial demo versions so that we can play with it?

John Strand

right now all the demos are the videos that we have right here. And also the way that we have it set up is you can basically download it and run it. It. We aren’t trying to tie it to any type of licensing keys or anything at all at the moment.

So the best thing that I could say is Rita is free. as far as the backend stuff and all the stuff that we’re doing there, it is absolutely free. And you can use that if you want to.

otherwise, we have the demo videos, the walkthrough videos, the install instructions will be up by the close of business today. So we’ve got a lot of places for people to get information.

Sierra Ward

Matthew says things move slow and we might run out of time on this discount code. Are there any plans for ongoing education.

John Strand

Institution discount now we, with this discount code, I think we’re planning on having it up for a month. Right. so if you need it longer than that, I would say just contact us out of band and we can definitely work something out.

we’re not a big company that’s been running this stuff for years and we’re like, yes, absolutely. We’ve got discount codes for GSA ratings and all this stuff. but if you need it and you’re an educational institution, nonprofit, just shoot us an email and we’ll work something out.

Sierra Ward

So David says, so you basically have to get enterprise to accept bro and Rita in order to use AI hunter.

John Strand

well, bro and read are free.

Sierra Ward

But what if you have pushback from getting that approved?

John Strand

If you have pushback for getting that approved for those two, then basically you can bundle it on top of it. Whenever people buy security appliances. let’s say an organization says we don’t allow Linux, but then you get a security appliance and it’s running Linux underneath.

It’s like, well that’s okay. so if you’re trying to get approval, just basically say, hey, this is what’s running underneath the hood for AI hunter and work at way instead. It all depends on how you need to sell it to management.

You show them a really glossy front end like this, and you’re like, yes, this does beaconing, it does all of these things. this makes them feel warm and fuzzy, whereas maybe, bro. And showing the command lines and things like this makes them feel uncomfortable.

So whatever it takes to actually get there. But more often than not, whenever people find that there’s things running underneath the hood, like TCP dump or bro or rado, they don’t really care what’s, what’s in the sausage or how it’s made.

They want to have something that’s actually functional at the end of the day.

Chris Brenton

Well, usually the pushback has to do with support. the biggest concern with open source is usually I can’t call somebody and get some help. whereas if bro Areta is not working, we’re going to help you because that means AI Hunter is not working either.

John Strand

Yes, that’s a good point.

Sierra Ward

And Tony does ask what kind of support is available for the enterprise environment.

John Strand

For the enterprise environment. basically ongoing updates, number one. And then number two, if you guys have any issues, shoot us an email and we’ll help you out.

Sierra Ward

We are real people, guys, not like bots.

John Strand

You also will get the developers. That’s another thing. We don’t have a help desk team of people that barely got out of college and, they just get started with a computer and, you send in a question, it’s going to come directly to the development team.

Chris Brenton

David, email support for now, but we’ll ramp that up pretty quickly.

John Strand

Yep.

Sierra Ward

Yeah, and we’re here. David says the control panel looks like a starship. Enterprise managers will think you’re playing games and it will feel like you’re playing games.

John Strand

Well, and from that, the front end, whenever I was using just Rita, it is so pretty. Lisa and Joe did a fantastic job. Job. Whenever, I first started doing hunt teams with Rita and doing the analytics and kicking it out into like, CSV, it would take me about a week to process through an entire hunt team for an environment with AI Hunter.

I’ve been doing hunt teams on this front end, for the past few months and it drops it down to like a day, to half a day for me to go through all of the interesting things and that’s huge for me.

it makes us more effective in what we do and it also gets us to the more interesting stuff in the environment a lot faster.

Sierra Ward

Normal people would, take it down for a month too. Okay, well, I think that we’re out of time. I hope we answered all of your questions. If we didn’t, you can email me sierrahs co and I will make sure that I forward that to whoever.

but thank you guys for attending and staying on for the demo, and hopefully you will try it out because it’s pretty awesome.

John Strand

Thank you so much, everybody. You have a great, great day.

Paul Asadoorian

Thanks, everyone.