chris haley - understanding attackers' use of covert communications

The Use of Covert Communications in Modern Cyber Attacks

@vectra_networks

CHRIS HALEY

SECURITY CONSULTANTCHALEY@VECTRANETWORKS.COM

Fundamental aspect of targeted attacks• “Low and slow” doesn’t exist without hidden

coms• Command and Control• Exfiltration

Many ways to hide• Attacker controls both ends of connection• Any application, protocol, encryption is

available

Hidden Communications

Targeted Threats

Opportunistic Threats

A closer look at the phases of an active cyber attack

Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C& RAT

Custom C&C

Initial Infection

Focus on hidden communications

Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C& RAT

Custom C&C

Initial Infection

Targeted attackers don’t reuse C&C servers … typically

Use of Domain Generation Algorithms (DGA)

Protocols: DNS, IRC, HTTP, HTTPS

Dropbox, Google Drive, Gmail

Reuse = Getting Caught

Requirements for detecting covert communications

Look at behavior, not appearance• IP address, URL, protocol can change• Fundamental behavior will not

Direct access to traffic• To find what others miss, you must have

access to the real evidence, not summaries

Expect obfuscation• Hiding is the name of the game

Types of machine learning

Software analyzes local traffic to learn “normal” behaviors

Reveals anomalies that can only be learned in the target network

Requires time to learn

Analyze massive set of samples to find the behaviors common to all

Finds inherent behavior to provide detections with a long shelf-life

Fast, no local learning required

Supervised Learning Unsupervised Learning

Hiding within encryption

Threat hiding within encrypted traffic

More traffic is encrypted by default• Standard for cloud applications• Doubled last year in North America*

Decryption more difficult• Serious performance trade-offs• Increase in certificate pinning

makes decryption less reliable

Simple hiding place for attackers• Owns both sides of the connection• Standard SSL or custom scheme*Source: Sandvine Internet Phenomena Report

Poll Question #1Do you decrypt your network traffic for security inspection today?

A. Yes, all traffic is decryptedB. Some traffic is selectively decrypted by policyC. No traffic is decryptedD. I do not today but am planning to in the future

Summary of Vectra

While the individual man is an insoluble puzzle, in the aggregate he becomes a mathematical certainty

- Sherlock Holmes

Behavioral traffic analysis can find threats without decryption

Data science models applied directly to traffic reveals the underlying behavior• Communication cadence• Which side is in control of the

conversation?• Human or automated? Learn the distinctive

patterns of malicious traffic• Command-and-control

instructions• External remote access• Malware update, tunnels,

anonymizers, etc.

Hidden Tunnels

Hidden tunnels

What are hidden tunnels?• Techniques used by attackers to

hide their malicious communications within commonly allowed traffic and protocols

• Commonly seen in HTTP, HTTPS, DNS

• Example: Data or control messages embedded in optional fields of a packet

Types of hidden tunnels

Hidden messages embedded across many sessions• E.g. data embedded within DNS text field

• Difficult for signatures to detect as placement can constantly move

• Requires intelligence to the larger pattern of communication

Full tunnels over HTTP• e.g. Meterpreter tunnel over HTTPS

• Hard to detect as visibility may be constricted

• Requires in depth knowledge of protocol behavior

Recent Vectra study of hidden tunnels

Large-scale analysis of enterprise and government networks

Data science detects hidden tunnels in HTTP, HTTPS, and DNS without decryption

Attackers prefer the use of HTTPS

Hiding within allowed applications

Recently observed malware using Gmail as an automated C&C

Used Microsoft COM to send Python commands directly through Internet Explorer

Drafts automatically synced to cloud, so C&C without mail ever being sent

Focus on what threats do, not what they are called

Trying to name all bad things only ensures that you are always behind• Near infinite supply of repackaged malware, IP

addresses, and URLs

Vectra uses machine learning to expose the true purpose and effect of traffic

Malicious behaviors are similar across platforms• Does it really matter if that port scanner is on

laptop or iPhone?

It’s what it does, not what it is

Command and control via Gmail• Trusted application, trusted URL, trusted IP,

allowed behavior

• No email ever sent

Communication behavior still looks like traditional botnet pulling behavior• Unique pattern of call and response

• Bot completes a task and asks for next instructions

Poll Question #2

Of the allowed applications in your network, which ones do think pose the greatest risk of a cyber attack?

A. Consumer cloud-based applications – Facebook, webmail, dropbox, etc.

B. Enterprise cloud-based applications – File shares, CRM tools.

C. On premise applications and data stores.D. IT and Admin tools.

External Remote Access

Critical component of targeted attacks and breachesShift from pure malware to human control and intelligenceCan leverage malware or approved tools• RATs – Remote Access Tools• Administrative tools – RDP, VNC,

TeamViewer

External remote access case study: GlassRAT

Undetected for over 3 years• Discovered by RSA Security• Used a cert of a valid

software company in China• No AV coverage initially• Rare overlaps with C&C

servers used in nation-state attacks

Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf

External remote access case study: GlassRAT

Highly successful at avoid signaturesBehavior still looked exactly like a RAT• Similar to Netcat connected

to a command shell over TCP

Anonymization

TOR and Peer-to-Peer

Obscures the true source or destination of trafficEncrypted by defaultHeavily customized by attackers• Open-source TOR modified to

create TOR-like networks that don’t use known exit nodes

• P2P heavily used by malware to resist takedown attempts

Finding staged communications

Identify when traffic is bounced through internal hosts• Often used for exfiltration staging• Routing command-and-control through an unsecured device

IoT Devices

Difficult to secure• Typically easy to exploit• Very infrequent updates• Can’t support an end-point

Valuable to attackers• Vectra ThreatLabs recently

turned a DLink webcam into a functioning backdoor

Summary

Hidden communications are the underlying enabler of modern attacksControl over both ends of a conversation gives attackers a variety of options for hidingSignatures are unsuited for finding these issuesBy focusing on the packet-level behavior, new detection models can reveal the malicious actions within trusted or opaque traffic.

Command & Control

Botnet Activity

Reconnaissance

Lateral Movement

Exfiltration

chris haley - understanding attackers' use of covert communications

Technology

attackers and defenders of noli

dealing with attackers

estimating vulnerabilities in large covert...

covert hypnosis

fashion by haley by haley research paper research paper

covert app

bill haley

covert user manual - university of california,...

google gears for attackers

covert action

mining attackers mind

reading between the dies: cross-slr covert channels on...

covert stuttering

presented by haley defeo uncle tom’s defenders and...

cyberark: the cyber attackers’ playbook the cyber...

what is roi for attackers

the japanese were ruthless attackers

covert - warrior

aldric haley

running head: covert retrieval 1 covert retrieval in