Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2012
06:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOE Lab Releases Open-Source Attack Intelligence Tool

Pacific Northwest National Laboratory offers up, continues to build out a tool that drills down into the processes and apps employed by the bad guys

The U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.

The so-called Hone tool is basically a host-based sensor that automatically pinpoints which applications or processes infected machines and an external network they are using to communicate. So it could help determine the specific app used between a bot and its command-and-control, or between an infected machine and the attacker trying to siphon information or intellectual property.

PNNL, which was the victim of consecutive targeted attacks last summer, is test-running Hone along with its homegrown visualization technology. The open-source Hone code is available to the public, and its creator, Glenn Fink, hopes the community will then share any extensions to the tool as well in the public domain. It's currently available for Linux, and the lab is also working on Windows 7 and Mac OS X versions, too.

When a user unknowingly picks up spyware and is unaware of the background communication from his now-infected machine to the attacker, Hone would detect the traffic and isolate it to, say, the type of browser. "Hone can find this new process talking to the network. And even if it only talks to the network once a month, you still have a record of it," Fink says.

Today, correlating unusual communications trends between computers and outside the network can be a laborious process, and it's often difficult to discern which application is communicating. Malicious apps duck in and out, too, so it's difficult to track them.

Fink, who first developed the tool as a graduate student at Virginia Tech University, says Hone is akin to a scalpel, while existing tools of the like are akin to a chainsaw. "It provides a new source of data," he says, and could let an organization under attack ultimately control traffic on a packet-by-packet basis. It would drill down to the application process and identify whether it was Internet Explorer or iTunes that was being used by the attacker, for example, he says.

Such a tool just might have come in handy for PNNL on the Friday of last year's July Fourth weekend, when the lab discovered it had been hit by a sophisticated targeted attack. The attackers used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash exploit. PNNL, a research and development facility operated under contract to the Department of Energy, had to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access, as well as block internal traffic while investigating and mitigating the attack. The lab said no classified or sensitive information was taken.

In an interview with Dark Reading in the aftermath of the attack, Jerry Johnson, chief information officer for PNNL, said the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. The attackers exploited a bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. A second-wave attack originating from another laboratory was more serious: The attackers were able to gain privileged credentials to gain access to a more sensitive side of PNNL's network.

If available at the time, Hone could have been useful as a way to spot malicious app behavior or malicious apps. "This tool probably would have helped in that situation," PNNL's Fink notes.

The catch with Hone is that it must be built into the OS kernel, something that could deter its wider adoption, notes Richard Bejtlich, chief security officer with Mandiant. "I don't see that happening for many organizations," he says.

Mandiant's Bejtlich notes that there are similar capabilities already in the OS, such as Windows Event Tracing.

But PNNL's Fink says these built-in functions, such as Windows Event Tracing and dTrace in Linux and Mac OS X, are much cruder and inefficient for gathering this type of intelligence. They could be used in a basic manner to trace activities back to system calls, but these tools require more software to be written around them to do what Hone does, he says.

The tool is available for download here. Fink and his team are hoping developers will clone and improve on its features.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CiscoJones
50%
50%
CiscoJones,
User Rank: Apprentice
4/18/2012 | 11:41:32 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link to download the software needs to be:
https://github.com/HoneProject
jerry5
50%
50%
jerry5,
User Rank: Apprentice
4/18/2012 | 11:14:02 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
Protip: https://github.com/HoneProject...

Maybe the author of this article should confirm working D/L Links.
"404 ERROR"
#FAIL
felixonline
50%
50%
felixonline,
User Rank: Strategist
4/18/2012 | 2:53:00 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link https://github.com/HoneProject...-is broken !!
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.