This post is the tenth and last of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network.
In this final post, we’ll see a security solution capable of separating normal well-formed traffic from abnormal attacker traffic by looking at network data only. And we’ll see why that is useful.
Joe: Hey Bob, 10.217.145.233 is sending a lot of traffic on port 80.Bob: So…web traffic. Why did that catch your eye?
Joe: According to our asset inventory that’s a back-up database server.
Bob: Oh. Maybe an admin console?
Joe: Maybe, but that wouldn’t generate this volume of traffic. Let’s take a peek at what’s being sent.
Bob: Ok I’ll run a traffic summary for that host.
Joe: Check that out. It’s not recognized as a valid service. It’s not HTTP or TLS — it’s unknown. Grab the packet capture for the most recent session.
Bob: Can do boss, one second.
Joe: See there — there are no HTTP headers. It’s either raw data or a strange unrecognized service. Contact the owner of that host and let’s run this down. This might quickly turn into an incident.
Just because traffic is on a well-known network port (e.g. port 80) doesn’t mean it’s the traffic type reserved for that port (e.g. HTTP). After attackers have gained access to a network by, for example, exploiting a software vulnerability or using stolen credentials, they frequently hide their activities by transferring raw data or using custom services on common open ports within a network.
In the example above, data was flooding out of a back-up database server over a network port reserved for web traffic, which in most cases would be abnormal activity. The attacker took advantage of the fact that for common services to function in an enterprise environment certain ports (80, 443, 53, etc.) must be allowed to pass through firewalls, which leaves open communication channels that malicious actors can abuse.
A common abuse technique is to first establish a foothold and then start interactive sessions from within the network and exfiltrate data out. Firewalls and other security controls typically allow traffic initiated by enterprise-controlled hosts and deny odd-looking requests initiated by external hosts. So following a breach of a back-up database server, for example, an attacker can start exfiltrating sensitive data across a port reserved for web traffic without anyone immediately noticing.
Because of this attack vector, a valuable tool in an analyst’s arsenal is the ability to look for abnormal traffic that isn’t recognized as any common service (HTTP, TLS, DNS, etc.), and then be able to review the headers of the traffic and the full packet capture. A quick traffic inspection by Joe and Bob above revealed that this outbound traffic on port 80 was not in fact web traffic, but either raw data or a custom service, such as a malware-specific communication protocol. By having the ability to spot these anomalies and quickly contain the incident, security analysts can greatly reduce the impact that attackers can have after a successful initial network security breach.
Thanks for reading this final blog post in the advanced analytics series. If you missed any of the earlier posts, an index can be found on the series introduction page here.
Happy hunting! For more information, visit Novetta Cyber Analytics or watch 3 Hours vs 3 Days: Incident Response with Novetta Cyber Analytics.