This post is the first in a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network.
Today’s focus is on discovering beaconing behavior originating from a network. In the world of malware, beaconing is the practice of sending short and regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive, functioning, and ready for instructions. Beacons often originate from infected internal enterprise hosts (e.g. bots or zombies) and are sent to command and control (C2 or C&C) servers outside the enterprise network. This “phone home” communication strategy allows botnet administrators to automatically track, manage, and control hundreds of thousands of infected hosts.
Why is it useful to look for beaconing when one could just look for the malware itself? Well malware is not always so easy to find. Sophisticated malware is increasingly able to evade anti-virus, anti-malware, and endpoint protection software because the malware authors know how those scanners function. They can design around them and even check for the presence of these defense mechanisms before they start to perform any noisy activities or write any files on an infected host. So checking for malware on the machine is not enough — one must also look for network-related indications of malware infections.
Beaconing is one of the first network-related indications of a botnet or a peer-to-peer malware infection. Typically after malware gets a foothold on a host it quickly determines the host environment and calls out to its C2 infrastructure. The C2 infrastructure then determines what else should be transferred to and installed on that infected host. In some cases, it is a banking trojan that will steal bank account login credentials, and in other cases, it installs a distributed denial of service client that will help the botnet administrators launch large-scale attacks on targets.
The beaconing behavior search is particularly useful when applied to traffic types that by necessity are allowed by enterprise firewalls, such as HTTP (port 80), HTTPS (port 443), and DNS (port 53). If organizations want web browsing to function for employees then these communication channels must be open, and attackers take advantage of this by tunneling their beaconing through these service types. By applying the analytic to historic web and DNS traffic data an analyst can uncover slow beaconing behavior hidden within the network noise and spot malware infections before they can do any real damage.
An analytical search that detects beaconing must minimally take into account the following characteristics of a malware beacon:
- Beacon interval – is the malware beaconing every minute, hour, day, week?
- Observed beaconing frequency – within the interval how many beacons are broadcast?
- Persistence – what percentage of the time does the beacon fail to transmit or intentionally not transmit to be less predictable?
The search must also filter out common programs and network traffic that look like beacons but are actually innocent – these include some types of DNS traffic, regular software updates, and anti-virus definition updates. Analysts can exclude or whitelist these once in a pre-configured analytic search to eliminate false positives.
When analysts are able to spot beaconing behavior before the infected host can download additional tools, expose sensitive data, or launch attacks on other organizations, they can minimize the damage the malware is able to inflict. Once identified, they can quarantine the infected host, examine the malware, clean the machine, and add new firewall rules and signatures to automatically protect the organization from this newly-identified threat.
In Novetta Cyber Analytics, the Beacon analytic is one of many powerful searches that can reveal malicious behavior. As we move through the entire series we’ll cover more powerful analytics that detect and summarize network activity for analysts.