Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

6/15/2013
12:04 AM
50%
50%

Researcher To Open-Source Tools For Finding Odd Authentication Behavior

Rather than watching for communications between infected systems and command-and-control servers, companies can detect stealthy malware when it attempts to spread

A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.

Click here for more of Dark Reading's Black Hat articles.

Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cybersecurity startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.

The tools, which he has used in his own consulting engagements, do not mine data from log files -- which could be changed by attackers -- but instead capture network traffic and monitor it for strange user-authentication behavior.

"It is built to mine information based on raw captures and look for patterns that indicate that an adversary has acquired a privileged account and is using that to maneuver his way around the network," Fiterman says.

Pass-the-hash is an attack technique first suggested in 1997, where an attacker can pass a security token or a password hash to a variety of internal systems to gain access to those systems. While the attack is more than 15 years old, it can still be fairly effective in most environments. In a Black Hat 2012 presentation, two penetration testers from Northrup Grumman showed that many of the techniques for passing the hash still work (PDF).

Using Breachbox, companies can set up a server and feed it packet captures from the network to run after-the-fact analyses. Or the server can listen to network traffic in real time -- either inline or out-of-band -- to look for anomalous authentication activity. The system looks for machines from which a user attempts to log into another machine under a different username, or multiple login attempts at a range of servers.

"In most cases, authentication looks a certain way," Fiterman says. "It is predictable: You log in in the morning and then go to different network resources. Breachbox looks for things that are out of the ordinary."

It is a technique used by larger security firms as well. Well-known startup Crowdstrike, which plans to unveil more details of its services next week, has a similar capability, says Dmitri Alperovitch, the firm's chief technology officer. When attackers attempt to spread inside a company's network, they will typically use brute-force guessing, key-logging, as well as pass-the-hash attacks to infect more systems.

[Because malware increasingly uses a variety of domain techniques to foil takedown efforts and make their command-and-control servers harder to locate, DNS traffic becomes a good indicator of compromise. See Got Malware? Three Signs Revealed In DNS Traffic.]

"It's important to detect lateral movement, so we have the ability to look for attack as they attempt to propagate," says Alperovitch.

Fiterman hopes that by outsourcing the techniques and technologies, other researchers and consultants will experiment and find better use for the tools. Like many other data analysis tools, Breachbox is not a technology that can be quickly deployed and then forgotten, he says.

"The thing about Breachbox and solutions like it is that they require smart people to install them, run them, and manage them," he said. "This is not something that you can fire and forget."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...