Real Intelligence Threat Analysis
More About RITA
There is often a huge disconnect between what attackers are doing and what we as defenders are doing to detect them. There is currently a huge push to develop better and better Indicators of Compromise (IOC) or better threat intelligence.
If we sit back and think about these advancements in security, it becomes clear that we are still in the process of trying to build better and bigger blacklists. We are simply stuck believing we can somehow define evil away by building systems to find and neutralize it.
This will not work.
We continue to look for the easy button. We continue to seek out automation of our security infrastructure.
This will not work.
The reason these things will not work is because our defenses are static and accessible to all. All it takes is an adversary acquiring these technologies and figuring out how to bypass them before they sling a single packet at your network. This is one of the key reasons we worked so hard to develop better Active Defense approaches, but that will only go so far.
A newer development in security is Hunt Teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This takes some big assumptions on the part of the defenders. The fist assumption is that security automation has failed somewhere. The second assumption is that the existing technologies will not be sufficient to find the bad guys.
But how can a team even begin approaching these issues? It requires a fundamental shift in how we approach detecting attacks.
Traditionally, this requires a set of simple signatures designed to detect evil. However, this can be very hard. For example, one of the tools by BHIS is called VSagent. It hides its Command and Control (C2) traffic into __VIEWSTATE parameter which is base64 encoded. Further, it beacons every 30 seconds.
Unfortunately, the ideas of this backdoor can be easily modified to bypass any simple signature you throw at it.
How then, exactly, can we approach malware like this? It requires us to not look at individual TCP streams, but rather look at the communication as it relates to much larger timeframes.
To help with this, we have released Real Intelligence Threat Analysis (RITA). We hope this is the beginning of a new framework for hunt teaming. There are a number of different frameworks for Pentesting like Metasploit, SET and Recon-ng. The idea of a framework is that it is extensible, and it allows people to continuously add additional modules to it. That is our goal.
Get it, it’s free.
The password for the ht user account is !templinpw!.
It is in OVA format so it should be pretty portable to other VM environments.
Let’s take a few moments and walk through the current modules in RITA.
First, to start RITA we just need to fire up the run.py script in the /home/ht/Documents/RITA directory.
Then, open a browser and surf to http://127.0.0.1:5000.
Next, we are going to enter an example customer. This is the example customer where the example data is stored on this VM:
Let’s first talk about the Beaconing module:
The Beaconing module will use Discrete Fast Fourier Transform (DFFT) to move the connections leaving your network from the time domain to a frequency domain.
When we think about events, we tend to think of events as a series in time. When we look at things in terms of first, second and third….
However, we can also look at time in terms of frequency. For example, if we have connections connect at regular intervals, it will show up very clearly as a DFFT.
For example, when we run this module it will create graphs showing likely beaconing behavior.
The above graph shows a two second beacon. This means there is a detectible frequency of two second intervals between two hosts. This type of signature analysis is very difficult on standard security devices like IDS and IPS.
But, we can go further. We can also look for systems connecting to blacklisted IP addresses, potential scanning behavior, long duration connections (good for data exfiltration), and accounts that have multiple concurrent logons to multiple systems.
The beautiful thing about RITA is that the data can be exported to the desktop, but can be visualized via Kibana.
For example, if you run the concurrent module…
It will run the module and load the data into Kibana for visualization.
To see the results, select the results tab at the top:
Please select the Last 15 minutes icon in the upper left corner.
Now, select Last 5 years:
Now, in the middle box, type “result_type=”.
It will show you some autocomplete some options. Select result_type=concurrent.
This will show the systems with multiple concurrent connections:
As you can see above, the targetUserName of Fire_Phreak is logged on to multiple systems at the same time.
That should give you a first start with the RITA VM.
In the next installment, we will cover how to get your data loaded into it. We will also cover important topics such as how to change the screen resolution.
John Strand is the owner of BHIS. The RITA project is named after John’s mother, Rita Strand.
In memory of Rita Strand 1953-2016