This post is the fifth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we cover the detection of covert communication channels created in breached networks by advanced attackers.
Network intrusions happen – there’s no way around it. If an organization is connected to the internet and has users that read email, view websites, and like to click on things (who doesn’t?) eventually an attacker will figure out a way to gain unauthorized access to one of their machines. Once the attacker has a solid persistent foothold in their environment they commonly set up hidden communication channels to supporting attack infrastructure. A network defender can’t prevent this without closing off all communication with the internet. So how can we instead understand how this communication is accomplished and detect the behavior before the attacker can cause damage?
In order to hide within the normal innocent chatter of an enterprise network, attackers set up backdoors and hidden access paths that give them direct access to compromised machines from remote systems. A popular technique is to tunnel communication through a common service port, such as port 80 (HTTP) or 53 (DNS), because these ports have to be allowed by firewalls and other network security devices for business-critical functions. The traffic that the attacker sends across these ports, however, is not HTTP or DNS traffic, but usually raw or encoded text. So in these cases the attacker is “abusing” the network protocol because ports 80 and 53 are reserved for HTTP and DNS, respectively, but the attacker is ignoring established internet communication standards.
Another more advanced example of this abusive network behavior is custom encryption that does not adhere to RC4-based SSL protocols, an example of which is custom RC4-encrypted reverse shell activity. A reverse shell is created when an attacker opens a command prompt shell connection from the victim machine, the server in this case, to the attacking machine, the client. It is called a reverse shell because the normal direction is usually the opposite – the client would normally create a connection to the server. This is effective because firewalls typically focus on blocking incoming traffic and allowing all outbound traffic. If an attacker manages to compromise a machine and start an encrypted reverse shell, especially on a common port (port 443 for SSL-encrypted web traffic), this activity often goes unnoticed. Now that we understand the common methods, how does a network defender look for this protocol abuse?
By monitoring network traffic and actively searching for this mismatch of protocol and port it is possible to quickly highlight protocol abuse. The analytical search needs a few critical pieces to be effective:
- An awareness of internet standards for protocol and port relationships – it must have a reference table of known common ports and their expected traffic types.
- A ground truth source of network traffic that starts from the as-observed packet capture that went across the enterprise’s copper or fiber Ethernet.
- The ability to search through network traffic metadata extracted from the network traffic instead of having to comb through mountains of raw packet capture.
- The speed to query billions of indexed metadata database records to look for matching sessions that are guilty of protocol abuse.
This type of search is very effective at cutting through the noise and highlighting communications that should not exist in a normal enterprise network. And since it works at the metadata level without the need for heavy deep packet inspection, it is effective on even the largest networks in the world. When a network defender finds evidence of protocol abuse, the system can provide the as-observed network traffic for review and forensic analysis, supporting the wider investigation and incident response workflow.
As with other analytical searches a few potential false positive scenarios do need to be filtered out in advance. Benign types of activity such as HTTP over the HTTPS port 443 and streaming video protocols over web ports 80, 8080, and 443 can be whitelisted. So that’s how to find attackers abusing network protocols within an enterprise. Stay tuned for more powerful searches that can reveal malicious behavior as we move through this entire advanced analytics series.
Read the next post in this series: RDP Keyboard Layout.