Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2012
06:23 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DOE Lab Releases Open-Source Attack Intelligence Tool

Pacific Northwest National Laboratory offers up, continues to build out a tool that drills down into the processes and apps employed by the bad guys

The U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.

The so-called Hone tool is basically a host-based sensor that automatically pinpoints which applications or processes infected machines and an external network they are using to communicate. So it could help determine the specific app used between a bot and its command-and-control, or between an infected machine and the attacker trying to siphon information or intellectual property.

PNNL, which was the victim of consecutive targeted attacks last summer, is test-running Hone along with its homegrown visualization technology. The open-source Hone code is available to the public, and its creator, Glenn Fink, hopes the community will then share any extensions to the tool as well in the public domain. It's currently available for Linux, and the lab is also working on Windows 7 and Mac OS X versions, too.

When a user unknowingly picks up spyware and is unaware of the background communication from his now-infected machine to the attacker, Hone would detect the traffic and isolate it to, say, the type of browser. "Hone can find this new process talking to the network. And even if it only talks to the network once a month, you still have a record of it," Fink says.

Today, correlating unusual communications trends between computers and outside the network can be a laborious process, and it's often difficult to discern which application is communicating. Malicious apps duck in and out, too, so it's difficult to track them.

Fink, who first developed the tool as a graduate student at Virginia Tech University, says Hone is akin to a scalpel, while existing tools of the like are akin to a chainsaw. "It provides a new source of data," he says, and could let an organization under attack ultimately control traffic on a packet-by-packet basis. It would drill down to the application process and identify whether it was Internet Explorer or iTunes that was being used by the attacker, for example, he says.

Such a tool just might have come in handy for PNNL on the Friday of last year's July Fourth weekend, when the lab discovered it had been hit by a sophisticated targeted attack. The attackers used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash exploit. PNNL, a research and development facility operated under contract to the Department of Energy, had to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access, as well as block internal traffic while investigating and mitigating the attack. The lab said no classified or sensitive information was taken.

In an interview with Dark Reading in the aftermath of the attack, Jerry Johnson, chief information officer for PNNL, said the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. The attackers exploited a bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. A second-wave attack originating from another laboratory was more serious: The attackers were able to gain privileged credentials to gain access to a more sensitive side of PNNL's network.

If available at the time, Hone could have been useful as a way to spot malicious app behavior or malicious apps. "This tool probably would have helped in that situation," PNNL's Fink notes.

The catch with Hone is that it must be built into the OS kernel, something that could deter its wider adoption, notes Richard Bejtlich, chief security officer with Mandiant. "I don't see that happening for many organizations," he says.

Mandiant's Bejtlich notes that there are similar capabilities already in the OS, such as Windows Event Tracing.

But PNNL's Fink says these built-in functions, such as Windows Event Tracing and dTrace in Linux and Mac OS X, are much cruder and inefficient for gathering this type of intelligence. They could be used in a basic manner to trace activities back to system calls, but these tools require more software to be written around them to do what Hone does, he says.

The tool is available for download here. Fink and his team are hoping developers will clone and improve on its features.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CiscoJones
50%
50%
CiscoJones,
User Rank: Apprentice
4/18/2012 | 11:41:32 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link to download the software needs to be:
https://github.com/HoneProject
jerry5
50%
50%
jerry5,
User Rank: Apprentice
4/18/2012 | 11:14:02 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
Protip: https://github.com/HoneProject...

Maybe the author of this article should confirm working D/L Links.
"404 ERROR"
#FAIL
felixonline
50%
50%
felixonline,
User Rank: Strategist
4/18/2012 | 2:53:00 AM
re: DOE Lab Releases Open-Source Attack Intelligence Tool
The link https://github.com/HoneProject...-is broken !!
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21197
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.