Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

6/15/2013
12:04 AM
50%
50%

Researcher To Open-Source Tools For Finding Odd Authentication Behavior

Rather than watching for communications between infected systems and command-and-control servers, companies can detect stealthy malware when it attempts to spread

A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.

Click here for more of Dark Reading's Black Hat articles.

Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cybersecurity startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.

The tools, which he has used in his own consulting engagements, do not mine data from log files -- which could be changed by attackers -- but instead capture network traffic and monitor it for strange user-authentication behavior.

"It is built to mine information based on raw captures and look for patterns that indicate that an adversary has acquired a privileged account and is using that to maneuver his way around the network," Fiterman says.

Pass-the-hash is an attack technique first suggested in 1997, where an attacker can pass a security token or a password hash to a variety of internal systems to gain access to those systems. While the attack is more than 15 years old, it can still be fairly effective in most environments. In a Black Hat 2012 presentation, two penetration testers from Northrup Grumman showed that many of the techniques for passing the hash still work (PDF).

Using Breachbox, companies can set up a server and feed it packet captures from the network to run after-the-fact analyses. Or the server can listen to network traffic in real time -- either inline or out-of-band -- to look for anomalous authentication activity. The system looks for machines from which a user attempts to log into another machine under a different username, or multiple login attempts at a range of servers.

"In most cases, authentication looks a certain way," Fiterman says. "It is predictable: You log in in the morning and then go to different network resources. Breachbox looks for things that are out of the ordinary."

It is a technique used by larger security firms as well. Well-known startup Crowdstrike, which plans to unveil more details of its services next week, has a similar capability, says Dmitri Alperovitch, the firm's chief technology officer. When attackers attempt to spread inside a company's network, they will typically use brute-force guessing, key-logging, as well as pass-the-hash attacks to infect more systems.

[Because malware increasingly uses a variety of domain techniques to foil takedown efforts and make their command-and-control servers harder to locate, DNS traffic becomes a good indicator of compromise. See Got Malware? Three Signs Revealed In DNS Traffic.]

"It's important to detect lateral movement, so we have the ability to look for attack as they attempt to propagate," says Alperovitch.

Fiterman hopes that by outsourcing the techniques and technologies, other researchers and consultants will experiment and find better use for the tools. Like many other data analysis tools, Breachbox is not a technology that can be quickly deployed and then forgotten, he says.

"The thing about Breachbox and solutions like it is that they require smart people to install them, run them, and manage them," he said. "This is not something that you can fire and forget."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.