Chris Haley - Understanding Attackers' Use of Covert Communications

© Vectra Networks | www.vectranetworks.com
The Use of Covert Communications in
Modern Cyber Attacks
@vectra_networks
CHRIS HALEY
SECURITY CONSULTANT
CHALEY@VECTRANETWORKS.COM

© Vectra Networks | www.vectranetworks.com 2
Fundamental aspect of targeted attacks
• “Low and slow” doesn’t exist without hidden coms
• Command and Control
• Exfiltration
Many ways to hide
• Attacker controls both ends of connection
• Any application, protocol, encryption is available
Hidden Communications

Targeted Threats
Opportunistic Threats
A closer look at the phases of an active cyber attack
3
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Custom C&C
Initial
Infection

Focus on hidden communications
4
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Custom C&C
Initial
Infection

Targeted attackers don’t reuse C&C servers … typically
5
Use of Domain
Generation
Algorithms (DGA)
Protocols: DNS, IRC,
HTTP, HTTPS
Dropbox, Google
Drive, Gmail
Reuse = Getting
Caught

Requirements for detecting covert communications
6
Look at behavior, not appearance
• IP address, URL, protocol can change
• Fundamental behavior will not
Direct access to traffic
• To find what others miss, you must have
access to the real evidence, not summaries
Expect obfuscation
• Hiding is the name of the game

Types of machine learning
Software analyzes local traffic to
learn “normal” behaviors
Reveals anomalies that can only
be learned in the target network
Requires time to learn
Analyze massive set of samples to
find the behaviors common to all
Finds inherent behavior to provide
detections with a long shelf-life
Fast, no local learning required
Supervised Learning Unsupervised Learning

Hiding within encryption

Threat hiding within encrypted traffic
9
More traffic is encrypted by default
• Standard for cloud applications
• Doubled last year in North America*
Decryption more difficult
• Serious performance trade-offs
• Increase in certificate pinning makes
decryption less reliable
Simple hiding place for attackers
• Owns both sides of the connection
• Standard SSL or custom scheme
*Source: Sandvine Internet Phenomena Report

Poll Question #1
Do you decrypt your network traffic for
security inspection today?
A. Yes, all traffic is decrypted
B. Some traffic is selectively decrypted by policy
C. No traffic is decrypted
D. I do not today but am planning to in the future

Summary of Vectra
While the individual man is
an insoluble puzzle, in the
aggregate he becomes a
mathematical certainty
- Sherlock Holmes

Behavioral traffic analysis can find threats without decryption
12
Data science models applied directly to
traffic reveals the underlying behavior
• Communication cadence
• Which side is in control of the
conversation?
• Human or automated? Learn the distinctive
patterns of malicious traffic
• Command-and-control
instructions
• External remote access
• Malware update, tunnels,
anonymizers, etc.

Hidden Tunnels

Hidden tunnels
What are hidden tunnels?
• Techniques used by attackers to
hide their malicious
communications within commonly
allowed traffic and protocols
• Commonly seen in HTTP, HTTPS,
DNS
• Example: Data or control
messages embedded in optional
fields of a packet

Types of hidden tunnels
Hidden messages embedded across many
sessions
• E.g. data embedded within DNS text field
• Difficult for signatures to detect as placement can
constantly move
• Requires intelligence to the larger pattern of
communication
Full tunnels over HTTP
• e.g. Meterpreter tunnel over HTTPS
• Hard to detect as visibility may be constricted
• Requires in depth knowledge of protocol behavior

Recent Vectra study of hidden tunnels
Large-scale analysis of
enterprise and government
networks
Data science detects
hidden tunnels in HTTP,
HTTPS, and DNS without
decryption
Attackers prefer the use of
HTTPS
16

Hiding within allowed applications

Hiding within allowed applications
18
Recently observed malware
using Gmail as an
automated C&C
Used Microsoft COM to
send Python commands
directly through Internet
Explorer
Drafts automatically synced
to cloud, so C&C without
mail ever being sent

Focus on what threats do, not what they are called
Trying to name all bad things only ensures
that you are always behind
• Near infinite supply of repackaged malware, IP
addresses, and URLs
Vectra uses machine learning to expose the
true purpose and effect of traffic
Malicious behaviors are similar across
platforms
• Does it really matter if that port scanner is on
laptop or iPhone?

It’s what it does, not what it is
Command and control via Gmail
• Trusted application, trusted URL, trusted IP,
allowed behavior
• No email ever sent
Communication behavior still looks like
traditional botnet pulling behavior
• Unique pattern of call and response
• Bot completes a task and asks for next
instructions

Poll Question #2
Of the allowed applications in your
network, which ones do think pose
the greatest risk of a cyber attack?
A. Consumer cloud-based applications –
Facebook, webmail, dropbox, etc.
B. Enterprise cloud-based applications – File
shares, CRM tools.
C. On premise applications and data stores.
D. IT and Admin tools.

External Remote Access

External Remote Access
24
Critical component of targeted
attacks and breaches
Shift from pure malware to human
control and intelligence
Can leverage malware or
approved tools
• RATs – Remote Access Tools
• Administrative tools – RDP, VNC,
TeamViewer

External remote access case study: GlassRAT
25
Undetected for over 3 years
• Discovered by RSA Security
• Used a cert of a valid software
company in China
• No AV coverage initially
• Rare overlaps with C&C
servers used in nation-state
attacks
Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf

External remote access case study: GlassRAT
26
Highly successful at avoid
signatures
Behavior still looked exactly
like a RAT
• Similar to Netcat connected to
a command shell over TCP

Anonymization

TOR and Peer-to-Peer
28
Obscures the true source or
destination of traffic
Encrypted by default
Heavily customized by attackers
• Open-source TOR modified to create
TOR-like networks that don’t use
known exit nodes
• P2P heavily used by malware to resist
takedown attempts

Finding staged communications
29
Identify when traffic is bounced through internal hosts
• Often used for exfiltration staging
• Routing command-and-control through an unsecured device

IoT Devices
30
Difficult to secure
• Typically easy to exploit
• Very infrequent updates
• Can’t support an end-point agent
Valuable to attackers
• Vectra ThreatLabs recently turned a
DLink webcam into a functioning
backdoor

Summary
31
Hidden communications are the underlying
enabler of modern attacks
Control over both ends of a conversation gives
attackers a variety of options for hiding
Signatures are unsuited for finding these issues
By focusing on the packet-level behavior, new
detection models can reveal the malicious actions
within trusted or opaque traffic.
Command & Control
Botnet Activity
Reconnaissance
Lateral Movement
Exfiltration

Chris Haley - Understanding Attackers' Use of Covert Communications

More Related Content

What's hot (20)

Similar to Chris Haley - Understanding Attackers' Use of Covert Communications (20)

More from centralohioissa (20)

Recently uploaded (20)

Chris Haley - Understanding Attackers' Use of Covert Communications