This post is the second in a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network.
Joe: Hey Bob, were you in Belarus this morning?
Bob: Um…nope. Are you feeling ok?
Joe: So you didn’t, maybe, remote into the CRM server from a machine in Minsk?
Bob: Definitely not.
Joe: Maybe you forgot?
Joe: Ok then we have a problem.
While it is possible for an organization’s infrastructure to be managed from halfway across the world, in most current enterprise environments servers and workstations are serviced by administrators who can physically get to machines if required. They will connect to machines securely via console or remote desktop from their workstations for convenience, but will be able to go to the server room, data center, or user location if there is a hardware failure or serious networking issue to resolve.
What would it mean, then, if a security team found admin-like traffic between a local machine and a remote location many miles away? Theoretically it could mean an administrator is traveling, but that’s not very common and they would very likely go through a proper channel like a VPN first anyway. So the presence of this type of traffic is suspicious and usually worthy of immediate investigation.
To identify this category of traffic in near real time, one must combine what’s happening on the network (the admin traffic) with relevant external contextual information (physical locations of hosts). An analytic search like Distant Admin does this by finding network sessions between two endpoints where the following conditions are true:
- The service/application being used is administrative in nature, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH).
- The endpoints are geographically far apart.
The analytic fuses network traffic metadata and IP-geolocation data to create intelligence that analysts can use to start investigations.
In Novetta Cyber Analytics, the Distant Admin analytic is typically configured in the following manner:
- Distance between hosts: >= 3000 miles (configurable)
- Total bytes transferred: >= 4KB (so we can focus on meaningful sessions, also configurable)
- Client and Server service: One of RDP, SSH, VNC, telnet, etc.
- Protocol: TCP (to remove any lingering UDP traffic related to DNS, NTP, etc.)
This search is very effective at highlighting traffic that doesn’t belong, and since it’s searching through metadata instead of raw packet capture, it can go through potentially billions of sessions in a short amount of time. Once an interesting event or incident is found, an incident responder or intrusion analyst can see what happened, to what internal host, from what external host in which country (with latitude and longitude details), and be able to quickly see the full picture and take action.
False positives for this analytic search are rare but possible. An admin connecting to a server to check something during a vacation can trigger these conditions, so some initial assessment and internal communication is necessary before a matching event is deemed an incident.
Stay tuned for more powerful searches that can reveal malicious behavior as we move through this entire advanced analytics series.
Read the next post in this series: HTTP(s) Exfiltration.
Visit the Series Intro to see a complete list of the analytics covered.