Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:23 PM
Connect Directly

DOE Lab Releases Open-Source Attack Intelligence Tool

Pacific Northwest National Laboratory offers up, continues to build out a tool that drills down into the processes and apps employed by the bad guys

The U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.

The so-called Hone tool is basically a host-based sensor that automatically pinpoints which applications or processes infected machines and an external network they are using to communicate. So it could help determine the specific app used between a bot and its command-and-control, or between an infected machine and the attacker trying to siphon information or intellectual property.

PNNL, which was the victim of consecutive targeted attacks last summer, is test-running Hone along with its homegrown visualization technology. The open-source Hone code is available to the public, and its creator, Glenn Fink, hopes the community will then share any extensions to the tool as well in the public domain. It's currently available for Linux, and the lab is also working on Windows 7 and Mac OS X versions, too.

When a user unknowingly picks up spyware and is unaware of the background communication from his now-infected machine to the attacker, Hone would detect the traffic and isolate it to, say, the type of browser. "Hone can find this new process talking to the network. And even if it only talks to the network once a month, you still have a record of it," Fink says.

Today, correlating unusual communications trends between computers and outside the network can be a laborious process, and it's often difficult to discern which application is communicating. Malicious apps duck in and out, too, so it's difficult to track them.

Fink, who first developed the tool as a graduate student at Virginia Tech University, says Hone is akin to a scalpel, while existing tools of the like are akin to a chainsaw. "It provides a new source of data," he says, and could let an organization under attack ultimately control traffic on a packet-by-packet basis. It would drill down to the application process and identify whether it was Internet Explorer or iTunes that was being used by the attacker, for example, he says.

Such a tool just might have come in handy for PNNL on the Friday of last year's July Fourth weekend, when the lab discovered it had been hit by a sophisticated targeted attack. The attackers used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash exploit. PNNL, a research and development facility operated under contract to the Department of Energy, had to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access, as well as block internal traffic while investigating and mitigating the attack. The lab said no classified or sensitive information was taken.

In an interview with Dark Reading in the aftermath of the attack, Jerry Johnson, chief information officer for PNNL, said the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. The attackers exploited a bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. A second-wave attack originating from another laboratory was more serious: The attackers were able to gain privileged credentials to gain access to a more sensitive side of PNNL's network.

If available at the time, Hone could have been useful as a way to spot malicious app behavior or malicious apps. "This tool probably would have helped in that situation," PNNL's Fink notes.

The catch with Hone is that it must be built into the OS kernel, something that could deter its wider adoption, notes Richard Bejtlich, chief security officer with Mandiant. "I don't see that happening for many organizations," he says.

Mandiant's Bejtlich notes that there are similar capabilities already in the OS, such as Windows Event Tracing.

But PNNL's Fink says these built-in functions, such as Windows Event Tracing and dTrace in Linux and Mac OS X, are much cruder and inefficient for gathering this type of intelligence. They could be used in a basic manner to trace activities back to system calls, but these tools require more software to be written around them to do what Hone does, he says.

The tool is available for download here. Fink and his team are hoping developers will clone and improve on its features.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/18/2012 | 11:41:32 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link to download the software needs to be:
User Rank: Apprentice
4/18/2012 | 11:14:02 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
Protip: https://github.com/HoneProject...

Maybe the author of this article should confirm working D/L Links.
"404 ERROR"
User Rank: Strategist
4/18/2012 | 2:53:00 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link https://github.com/HoneProject...-is broken !!
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...