Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

6/15/2013
12:04 AM
50%
50%

Researcher To Open-Source Tools For Finding Odd Authentication Behavior

Rather than watching for communications between infected systems and command-and-control servers, companies can detect stealthy malware when it attempts to spread

A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.

Click here for more of Dark Reading's Black Hat articles.

Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cybersecurity startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.

The tools, which he has used in his own consulting engagements, do not mine data from log files -- which could be changed by attackers -- but instead capture network traffic and monitor it for strange user-authentication behavior.

"It is built to mine information based on raw captures and look for patterns that indicate that an adversary has acquired a privileged account and is using that to maneuver his way around the network," Fiterman says.

Pass-the-hash is an attack technique first suggested in 1997, where an attacker can pass a security token or a password hash to a variety of internal systems to gain access to those systems. While the attack is more than 15 years old, it can still be fairly effective in most environments. In a Black Hat 2012 presentation, two penetration testers from Northrup Grumman showed that many of the techniques for passing the hash still work (PDF).

Using Breachbox, companies can set up a server and feed it packet captures from the network to run after-the-fact analyses. Or the server can listen to network traffic in real time -- either inline or out-of-band -- to look for anomalous authentication activity. The system looks for machines from which a user attempts to log into another machine under a different username, or multiple login attempts at a range of servers.

"In most cases, authentication looks a certain way," Fiterman says. "It is predictable: You log in in the morning and then go to different network resources. Breachbox looks for things that are out of the ordinary."

It is a technique used by larger security firms as well. Well-known startup Crowdstrike, which plans to unveil more details of its services next week, has a similar capability, says Dmitri Alperovitch, the firm's chief technology officer. When attackers attempt to spread inside a company's network, they will typically use brute-force guessing, key-logging, as well as pass-the-hash attacks to infect more systems.

[Because malware increasingly uses a variety of domain techniques to foil takedown efforts and make their command-and-control servers harder to locate, DNS traffic becomes a good indicator of compromise. See Got Malware? Three Signs Revealed In DNS Traffic.]

"It's important to detect lateral movement, so we have the ability to look for attack as they attempt to propagate," says Alperovitch.

Fiterman hopes that by outsourcing the techniques and technologies, other researchers and consultants will experiment and find better use for the tools. Like many other data analysis tools, Breachbox is not a technology that can be quickly deployed and then forgotten, he says.

"The thing about Breachbox and solutions like it is that they require smart people to install them, run them, and manage them," he said. "This is not something that you can fire and forget."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.