Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

6/15/2013
12:04 AM
50%
50%

Researcher To Open-Source Tools For Finding Odd Authentication Behavior

Rather than watching for communications between infected systems and command-and-control servers, companies can detect stealthy malware when it attempts to spread

A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.

Click here for more of Dark Reading's Black Hat articles.

Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cybersecurity startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.

The tools, which he has used in his own consulting engagements, do not mine data from log files -- which could be changed by attackers -- but instead capture network traffic and monitor it for strange user-authentication behavior.

"It is built to mine information based on raw captures and look for patterns that indicate that an adversary has acquired a privileged account and is using that to maneuver his way around the network," Fiterman says.

Pass-the-hash is an attack technique first suggested in 1997, where an attacker can pass a security token or a password hash to a variety of internal systems to gain access to those systems. While the attack is more than 15 years old, it can still be fairly effective in most environments. In a Black Hat 2012 presentation, two penetration testers from Northrup Grumman showed that many of the techniques for passing the hash still work (PDF).

Using Breachbox, companies can set up a server and feed it packet captures from the network to run after-the-fact analyses. Or the server can listen to network traffic in real time -- either inline or out-of-band -- to look for anomalous authentication activity. The system looks for machines from which a user attempts to log into another machine under a different username, or multiple login attempts at a range of servers.

"In most cases, authentication looks a certain way," Fiterman says. "It is predictable: You log in in the morning and then go to different network resources. Breachbox looks for things that are out of the ordinary."

It is a technique used by larger security firms as well. Well-known startup Crowdstrike, which plans to unveil more details of its services next week, has a similar capability, says Dmitri Alperovitch, the firm's chief technology officer. When attackers attempt to spread inside a company's network, they will typically use brute-force guessing, key-logging, as well as pass-the-hash attacks to infect more systems.

[Because malware increasingly uses a variety of domain techniques to foil takedown efforts and make their command-and-control servers harder to locate, DNS traffic becomes a good indicator of compromise. See Got Malware? Three Signs Revealed In DNS Traffic.]

"It's important to detect lateral movement, so we have the ability to look for attack as they attempt to propagate," says Alperovitch.

Fiterman hopes that by outsourcing the techniques and technologies, other researchers and consultants will experiment and find better use for the tools. Like many other data analysis tools, Breachbox is not a technology that can be quickly deployed and then forgotten, he says.

"The thing about Breachbox and solutions like it is that they require smart people to install them, run them, and manage them," he said. "This is not something that you can fire and forget."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16319
PUBLISHED: 2019-09-15
In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero.
CVE-2019-16320
PUBLISHED: 2019-09-15
Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel's latitude and longitude, via the public SNMP community.
CVE-2019-16321
PUBLISHED: 2019-09-15
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.