The so-called Hone tool is basically a host-based sensor that automatically pinpoints which applications or processes infected machines and an external network they are using to communicate. So it could help determine the specific app used between a bot and its command-and-control, or between an infected machine and the attacker trying to siphon information or intellectual property.
PNNL, which was the victim of consecutive targeted attacks last summer, is test-running Hone along with its homegrown visualization technology. The open-source Hone code is available to the public, and its creator, Glenn Fink, hopes the community will then share any extensions to the tool as well in the public domain. It's currently available for Linux, and the lab is also working on Windows 7 and Mac OS X versions, too.
When a user unknowingly picks up spyware and is unaware of the background communication from his now-infected machine to the attacker, Hone would detect the traffic and isolate it to, say, the type of browser. "Hone can find this new process talking to the network. And even if it only talks to the network once a month, you still have a record of it," Fink says.
Today, correlating unusual communications trends between computers and outside the network can be a laborious process, and it's often difficult to discern which application is communicating. Malicious apps duck in and out, too, so it's difficult to track them.
Fink, who first developed the tool as a graduate student at Virginia Tech University, says Hone is akin to a scalpel, while existing tools of the like are akin to a chainsaw. "It provides a new source of data," he says, and could let an organization under attack ultimately control traffic on a packet-by-packet basis. It would drill down to the application process and identify whether it was Internet Explorer or iTunes that was being used by the attacker, for example, he says.
Such a tool just might have come in handy for PNNL on the Friday of last year's July Fourth weekend, when the lab discovered it had been hit by a sophisticated targeted attack. The attackers used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash exploit. PNNL, a research and development facility operated under contract to the Department of Energy, had to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access, as well as block internal traffic while investigating and mitigating the attack. The lab said no classified or sensitive information was taken.
In an interview with Dark Reading in the aftermath of the attack, Jerry Johnson, chief information officer for PNNL, said the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. The attackers exploited a bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. A second-wave attack originating from another laboratory was more serious: The attackers were able to gain privileged credentials to gain access to a more sensitive side of PNNL's network.
If available at the time, Hone could have been useful as a way to spot malicious app behavior or malicious apps. "This tool probably would have helped in that situation," PNNL's Fink notes.
The catch with Hone is that it must be built into the OS kernel, something that could deter its wider adoption, notes Richard Bejtlich, chief security officer with Mandiant. "I don't see that happening for many organizations," he says.
Mandiant's Bejtlich notes that there are similar capabilities already in the OS, such as Windows Event Tracing.
But PNNL's Fink says these built-in functions, such as Windows Event Tracing and dTrace in Linux and Mac OS X, are much cruder and inefficient for gathering this type of intelligence. They could be used in a basic manner to trace activities back to system calls, but these tools require more software to be written around them to do what Hone does, he says.
The tool is available for download here. Fink and his team are hoping developers will clone and improve on its features.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.