chris haley - understanding attackers' use of covert communications

© Vectra Networks | www.vectranetworks.com

The Use of Covert Communications in Modern Cyber Attacks

@vectra_networks

CHRIS HALEY

SECURITY [email protected]

mailto:[email protected]

© Vectra Networks | www.vectranetworks.com 2

Fundamental aspect of targeted attacks• “Low and slow” doesn’t exist without hidden

coms• Command and Control• Exfiltration

Many ways to hide• Attacker controls both ends of connection• Any application, protocol, encryption is

available

Hidden Communications


Targeted Threats

Opportunistic Threats

A closer look at the phases of an active cyber attack

3

Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C& RAT

Custom C&C

Initial Infection


Focus on hidden communications

4

Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C& RAT

Custom C&C

Initial Infection


Targeted attackers don’t reuse C&C servers … typically

Use of Domain Generation Algorithms (DGA)

Protocols: DNS, IRC, HTTP, HTTPS

Dropbox, Google Drive, Gmail

Reuse = Getting Caught


Requirements for detecting covert communications

Look at behavior, not appearance• IP address, URL, protocol can change• Fundamental behavior will not

Direct access to traffic• To find what others miss, you must have

access to the real evidence, not summaries

Expect obfuscation• Hiding is the name of the game


Types of machine learning

Software analyzes local traffic to learn “normal” behaviors

Reveals anomalies that can only be learned in the target network

Requires time to learn

Analyze massive set of samples to find the behaviors common to all

Finds inherent behavior to provide detections with a long shelf-life

Fast, no local learning required

Supervised Learning Unsupervised Learning


Hiding within encryption


Threat hiding within encrypted traffic

More traffic is encrypted by default• Standard for cloud applications• Doubled last year in North America*

Decryption more difficult• Serious performance trade-offs• Increase in certificate pinning

makes decryption less reliable

Simple hiding place for attackers• Owns both sides of the connection• Standard SSL or custom scheme*Source: Sandvine Internet Phenomena Report


Poll Question #1Do you decrypt your network traffic for security inspection today?

A. Yes, all traffic is decryptedB. Some traffic is selectively decrypted by policyC. No traffic is decryptedD. I do not today but am planning to in the future


Summary of Vectra

While the individual man is an insoluble puzzle, in the aggregate he becomes a mathematical certainty

- Sherlock Holmes


Behavioral traffic analysis can find threats without decryption

Data science models applied directly to traffic reveals the underlying behavior• Communication cadence• Which side is in control of the

conversation?• Human or automated? Learn the distinctive

patterns of malicious traffic• Command-and-control

instructions• External remote access• Malware update, tunnels,

anonymizers, etc.


Hidden Tunnels


Hidden tunnels

What are hidden tunnels?• Techniques used by attackers to

hide their malicious communications within commonly allowed traffic and protocols

• Commonly seen in HTTP, HTTPS, DNS

• Example: Data or control messages embedded in optional fields of a packet


Types of hidden tunnels

Hidden messages embedded across many sessions• E.g. data embedded within DNS text field

• Difficult for signatures to detect as placement can constantly move

• Requires intelligence to the larger pattern of communication

Full tunnels over HTTP• e.g. Meterpreter tunnel over HTTPS

• Hard to detect as visibility may be constricted

• Requires in depth knowledge of protocol behavior


Recent Vectra study of hidden tunnels

Large-scale analysis of enterprise and government networks

Data science detects hidden tunnels in HTTP, HTTPS, and DNS without decryption

Attackers prefer the use of HTTPS

16


Hiding within allowed applications


Hiding within allowed applications

Recently observed malware using Gmail as an automated C&C

Used Microsoft COM to send Python commands directly through Internet Explorer

Drafts automatically synced to cloud, so C&C without mail ever being sent


Focus on what threats do, not what they are called

Trying to name all bad things only ensures that you are always behind• Near infinite supply of repackaged malware, IP

addresses, and URLs

Vectra uses machine learning to expose the true purpose and effect of traffic

Malicious behaviors are similar across platforms• Does it really matter if that port scanner is on

laptop or iPhone?


It’s what it does, not what it is

Command and control via Gmail• Trusted application, trusted URL, trusted IP,

allowed behavior

• No email ever sent

Communication behavior still looks like traditional botnet pulling behavior• Unique pattern of call and response

• Bot completes a task and asks for next instructions


Poll Question #2

Of the allowed applications in your network, which ones do think pose the greatest risk of a cyber attack?

A. Consumer cloud-based applications – Facebook, webmail, dropbox, etc.

B. Enterprise cloud-based applications – File shares, CRM tools.

C. On premise applications and data stores.D. IT and Admin tools.


External Remote Access


External Remote Access

Critical component of targeted attacks and breachesShift from pure malware to human control and intelligenceCan leverage malware or approved tools• RATs – Remote Access Tools• Administrative tools – RDP, VNC,

TeamViewer


External remote access case study: GlassRAT

Undetected for over 3 years• Discovered by RSA Security• Used a cert of a valid

software company in China• No AV coverage initially• Rare overlaps with C&C

servers used in nation-state attacks

Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf

https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf








External remote access case study: GlassRAT

Highly successful at avoid signaturesBehavior still looked exactly like a RAT• Similar to Netcat connected

to a command shell over TCP


Anonymization


TOR and Peer-to-Peer

Obscures the true source or destination of trafficEncrypted by defaultHeavily customized by attackers• Open-source TOR modified to

create TOR-like networks that don’t use known exit nodes

• P2P heavily used by malware to resist takedown attempts


Finding staged communications

Identify when traffic is bounced through internal hosts• Often used for exfiltration staging• Routing command-and-control through an unsecured device


IoT Devices

Difficult to secure• Typically easy to exploit• Very infrequent updates• Can’t support an end-point

agent

Valuable to attackers• Vectra ThreatLabs recently

turned a DLink webcam into a functioning backdoor


Summary

Hidden communications are the underlying enabler of modern attacksControl over both ends of a conversation gives attackers a variety of options for hidingSignatures are unsuited for finding these issuesBy focusing on the packet-level behavior, new detection models can reveal the malicious actions within trusted or opaque traffic.

Command & Control

Botnet Activity

Reconnaissance

Lateral Movement

Exfiltration

chris haley - understanding attackers' use of covert communications

Technology