Thetaray Case Study

ThetaRay

Case Study

Fixed Time Series – Beaconing Host Detection

0100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001 010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000100000011100110110100101110100001000000110000101101101011001010111010000101100001000000110001101101111011011100111001101100101011000110111010001100101011101000111010101110010001000000110000101100100010100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000

CASE STUDY

2Fixed Time Series – Beaconing Host Detection Confidential

Table of ConTenTsexecutive summary

fixed Time series - beaconing Host Detection

Case Study Overview

Anomaly Detection

Anomaly Analysis

Security Event Information

Forensic Security Investigation

Conclusion

3

4

4

4

5

7

8

9

CASE STUDY


exeCuTive summary

This Case Study presents an example of a fixed time series anomaly, detected by ThetaRay’s Hyper-dimensional big data analytics platform. Once confirmed by the customer, ThetaRay was able to provide details about the anomaly, showing how it detected an unknown malware infection that was not identified by any other security solution or product.

Times Series type anomalies are a repetitive deviation from a baseline activity of data coming from a network or a complex infrastructure; they are measured in set time intervals. This type of anomalous activity is detected by ThetaRay’s machine learning algorithmic core, which exposed an initial malware infection, but more importantly, the post-mutation malicious code at the earliest signs of infiltration of a customer’s infrastructure. ThetaRay was thus able to alert the customer well before any damage could occur.

Details about this detection story are provided herein, describing ThetaRay’s findings on a set of compromised hosts that were part of a leading defense contractor’s network. The threat was identified by monitoring vast data sets of internet activities via a single recording device placed at an important intersection on the customer’s network. It is important to note that while both inbound and outbound traffic were monitored, ThetaRay operated in non-intrusive mode, and had no access to any internal data resources.

A description of the time series and the nature of the attack include the following:

• Description of the anomaly detection process;

• In-depth analysis of the detected anomalies;

• Showing how anomalies are clearly linked with security events;

• The forensic security investigation and conclusions;

• Recommendations and mitigation instructions for the identified threat.

This case study is just one example of the type of threats that ThetaRay’s innovative solutions can identify. The scope of these capabilities goes far beyond standard rules-based and signature based detection methods used by the current generation of anti-APT vendors.

This case study shows how ThetaRay uses superior big data analytics to provide cybersecurity specialists with a higher level of awareness of network activities, and how that translates into an enhanced level of protection.

CASE STUDY


Case sTuDy overview

ThetaRay was engaged by a leading defense contractor to evaluate the computer network used by its employees during two weeks in Q3 2013. The network had 950 users, for which the customer tasked ThetaRay with monitoring the inbound and outbound Internet traffic only. The monitoring was accomplished by placing a single network analyzer (i.e., a sniffer) at the perimeter of the network. ThetaRay was not privy to any internal network communications or information from other resources.

During the evaluation period, over 400 million packets were analyzed, representing 300 GB of network traffic. It is important to emphasize that with ThetaRay’s non-intrusive, unknown threat detection technology, no changes were made to the customer’s existing network topology, nor were any software applications or clients installed. ThetaRay’s platform operates on the raw data as is.

The following sections of this case study we describe the unknown attack that was detected by ThetaRay’s threat detection platform, and then explain the findings in detail. We show the characteristics of the fixed time series anomaly, and expose the malicious activities behind it. Lastly, we present the findings and the recommendations in a Customer Action Report and close with a review of the specific attack that was uncovered.

anomaly DeTeCTion

One of the ways to point out anomalous activities in endless amounts of data is to use analytics for uncovering time series generators. The most common generators of time series are beaconing hosts.

A ‘beacon’ is particular traffic leaving and/or entering the network at regular intervals, also known as a heartbeat. In various real-world scenarios, beacons can be used for purposes like obtaining new orders from a C&C server, malware downloading updates, etc. Beacons can therefore be used as part of malicious activities.

Within the context of malicious attacks, the specific functionality of a beaconing host depends on the goal of the attacker and on the stage the attack is at. A beacon can use any network protocol and attempt to communicate with a single remote host, or reach out to multiple hosts.

In Figure 1 shown below, the activity of a beacon is evident in the network’s DNS traffic. Examining the graph, the DNS traffic appears in blue, and the red blocks represent the beacons as they appear regularly in what is defined a fixed time series.

In this case study, we refer to a DNS conversation as all the DNS traffic between two IP addresses via two ports.Looking at the traffic graph, it is evident that as the cumulative DNS traffic volume increases, the regularity and the consistency of the anomalies become more defined.

fixeD Time series - beaConing HosT DeTeCTion

Each red block represents two pairs of anomalous DNS conversations

figure 1: Fixed Time Series Anomalies in Bulk of DNS Traffic

Approx. 35 sec

CASE STUDY


anomaly analysis

In Figure 1 each red block represents a single item in the series, which is comprised of two pairs of DNS conversations, for a total of four conversations. In addition to the regularity of the timing already discussed, these anomalies had the following characteristics:• Each conversation has the same two remote destination IP addresses;• The number of client and server packets is similar (typically 225 packets each);• The number of client and server bytes is similar (typically 3 bytes each);• Duration of the conversation.

The anomalous activity comes in the shape of a pair of DNS conversations, followed by another anomalous pair of DNS conversations that take place two seconds later. Then, about 35 seconds later, a similar pair of anomalies with comparable features is repeated. The red blocks in Figure 1 represent the two conversations, and the line between them is the duration of approximately 35 seconds. This is where the time series anomaly is expressed very clearly.

In Figure 2, each red chevron represents one red line, or one pair of DNS conversations, separated by two seconds.

Due to network latency, the 35-second timing is an approximate, which in turn makes the gap between the conversation pairs appears uneven when zooming in into the graph. In reality, each tall red line represents one pair of anomalous conversations which takes place at two-second intervals.

figure 2: Beaconing Host DNS Traffic Detected as a Time Series Anomaly

Approx. 35 sec

At this stage of the analysis, it is important to clarify that the fixed time series has been merely identified by ThetaRay’s proprietary algorithms as a suspicious event. It has not yet been verified that each anomaly is part of an attack involving malicious beacons, and they are still classified as potentially benign.

Drilling down and looking at the network’s traffic from another angle, the same fixed time series event is once again evident. The pair of red lines in corresponds to the red blocks in Figure 1.

CASE STUDY


We can depict the anomalies as follows:

Dns Queries

202.101.103.55202.101.103.54

Dns Query

202.101.103.55

2 secondsintervals

2 seconds

Dns Queries

202.101.103.55202.101.103.54

Dns Query

202.101.103.55

figure 3: Sequential Depiction Of The Anomaly’s Flow

figure 4: Anomalous DNS Conversations Within the Overall DNS Traffic

figure 5: Anomalous DNS Conversations

Each pair of queries in Figure 3 is an anomaly, and the series of repeated anomalies at set intervals of two seconds, and then 35 seconds, translates into a security event once aggregated.

Up to this point, the anomalies were presented in graphic formats. The next step is to examine the actual data that triggered them.

In the image shown in Figure 4, the anomalous DNS conversations are highlighted in green and red, within the continuous flow of overall DNS network traffic.

Using a similar representation, each individual DNS conversation is shown below in a corresponding color (Figure 5).

Figure 4 shown below, presents a snippet of the organization’s DNS network traffic in chronological order. Successive rows marked in green and red represent pairs of DNS conversations with repeating destination IP addresses: 202.101.103.55 and 202.101.103.54, respectively.

Note that the anomalous DNS conversations are highlighted within the continuous flow of DNS network traffic.

Dns Query

202.101.103.54

Dns Query

202.101.103.54

CASE STUDY


Key Parameter Description

Event Name Potential botnet activity on the network

Event Description• A robot's behavior was detected on outbound DNS traffic.• The DNS requests consist of an A query record, requesting to resolve the IP address of cn.pool.ntp.org (NTP service).• The requested host provides clock synchronization with local time in China.

Threat Severity• High• Outbound traffic was observed; potential data exfiltration.

Anomaly Type Fixed time series in DNS Traffic

Anomaly Score 95%

Remote IP addresses Involved 202.101.103.55 and 202.101.103.54

Recommended Actions• Inspect the LAN DNS traffic directed to the above IP addresses in order to identify compromised hosts.• Disconnect the compromised host from the network until the threat is eliminated.

Remarks The reported DNS servers and the NTP service provider are legitimate and could have been used in legitimate activity.

A snippet of eight successive items in the anomalous time series, where all the other DNS traffic was filtered out, appears below in Figure 6.

By taking a closer look at screen capture, the relative time column (Rel. Start), shows a fixed time interval between the items and the performed operations. Each green and red pair is separated by approximately two seconds, and each pair of two conversations is separated by approximately 35 seconds.

figure 7: Customer Action Report

figure 6: DNS Traffic Generated by Beacons, Forming Fixed Time Series Anomaly

Approx. 2 sec

Approx. 35 sec

To summarize, both a graphic representation and vast traffic data show a clearly anomalous fixed time series event.

The event was identified as a beacon that has two set destinations, consistently communicating with IP addresses 202.101.103.55 and 202.101.103.54.

Aggregating the anomalies points to a security event affecting the customer’s network.

Information about the event was supplied to the customer’s security team on the form of a Customer Action Report, tabulated in Figure 7.

seCuriTy evenT informaTionThe following Customer Action Report presents information about the detected anomalous activity in an actionable format to enable the company’s IT security specialists to investigate the two IP addresses and discern whether the attack has caused any damage. The team could then take pointed action to eliminate the threat.

The forensic information provided by ThetaRay includes the timestamp of the detection, source and destination IP addresses, detection method, scope, and potential damage caused by the detected anomalies.

In addition to the Customer Action Report, the corresponding network capture file(s) is provided to the customer’s security team in a pcap file format.

CASE STUDY


forensiC seCuriTy invesTigaTion

The anomalous DNS traffic that was detected by ThetaRay as a time series event, was found to have been generated by compromised hosts that were abused by malicious actors as a result of an unknown attack.

A preliminary investigation conducted by ThetaRay found that the organization’s network was compromised by malware with botnet characteristics, controlled remotely from a China-based location. The location was determined by examining the DNS requests shown below (see Figure 8), which consist of a query to resolve the IP address of cn.pool.ntp.org in order to synchronize the clock with the local time in China.

Further investigation conducted by the organization’s own IT security department uncovered six infected hosts on their LAN, compromised by information-stealing malware of Chinese origins. These hosts functioned as bots on a large scale botnet. All the bots were controlled by the same operator located in China.

Note that while the customer’s network was protected by solutions such as a NGFW, next-generation threat prevention, and a popular SIEM tool, those were unable to detect this unknown attack or the fact that six hosts had already been compromised and were acting as bots.

figure 8: Anomalous DNS Packet Details (as Captured Using Wireshark Network Analyzer)

CASE STUDY


ConClusionThis case study, describe a Fixed Time Series anomaly detect in DNS traffic, revealed an unknown threat that had already penetrated a defense contractor’s computer network. The anomalies were picked up by analyzing big data sets, even though ThetaRay only had access to a network data from the perimeter of the network.

While each individual anomaly could have been considered benign on its own, when multiple instances were analyzed and aggregated to one unit, suspicious patterns were easily and automatically discerned. It was only possible to discover the patterns via ThetaRay’s Hyper-dimensional Big Data threat detection solution™, enabling the customer to see the big picture leveraging the organization’s big data.

After implementing ThetaRay’s Hyper-dimensional big data analytics platform, and providing the customers with supporting forensics, six compromised hosts were identified as communicating with a Chinese botnet.

The client’s standard rule-based next-generation firewall (NGFW) and next-generation advanced threat prevention solutions neither detected the original attack, nor flagged the six hosts’ being exploited as zombie bots. When relying on traditional enterprise grade anti-malware solutions, detection of an unknown pattern is very often missed entirely, leaving the network exposed to ongoing malicious activity. It is only ThetaRay’s proprietary algorithms and threat detection platform that can identify such unprecedented patterns, and make them make sense from within large volumes of big data.

The nature of cyber-attacks has evolved and a new security paradigm is required to enable organizations to simultaneously see all anomalies across multiple operations, systems and protocols. This enables the identification of hidden signs of unknown threats in minutes rather than months, protecting networks and infrastructure against sophisticated APT attacks. ThetaRay’s solutions are able to detect and counter today’s unknown threats, as clearly demonstrated in this case study.

The ThetaRay advantages detailed in this document are:

• Automatic, unsupervised detection of unknown threats;

• Minimal footprint to monitor multiple data sources;

• No disruption to the network users’ experience;

• No big data know-how or threshold setting is required;

• Near real-time analysis of multi-dimensional big data sets;

• Detailed actionable reports that enable IT security teams to pinpoint the attack source, identify any damage caused, and mitigate or remedy the threat.

After receiving ThetaRay’s findings and recommendations, the defense contractor recognized that the time series anomaly revealed a serious breach of their sensitive network and took action to eliminate the threat. Additional steps were required in order to mitigate potential damage that had already occurred while this attack went undetected before ThetaRay’s intervention.

0100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001 01001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000100000011100110110100101110100001000000110000101101101011001010111010000101100001000000110001101101111011011100111001101100101011000110111010001100101011101000111010101110010001000000110000101100100010100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001010101

24 Hebron Road, Jerusalem, 9354212, IsraelTel: +972-2-640-9763 I [email protected]

ThetaRayw w w. t h e t a r a y. c o m

abouT THeTaray

ThetaRay is a leading provider of unknown threat detection solutions to critical infrastructure, financial institutions and organizations using Industrial Internet. The company’s core technology is based on state of the art machine learning algorithms which power its proprietary Hyper-Dimensional Big Data Analytics™. Nowadays, highly customized, sophisticated cyber-attacks easily circumvent traditional security, with adversaries being able to breach, lurk, and operate surreptitiously inside compromised networks for months and years before they are exposed due to impact.

ThetaRay’s patented, award-winning threat detection platform automatically uncovers unknown cyber and operational issues within minutes, allowing customers to take action and avert disaster before any damage occurs. Organizations tasked with securing highly heterogeneous environments that include ICS/SCADA devices, IoT and multiple other data sources, leverage ThetaRay’s unmatched detection and low false positive rates as a see-all power that enables them to unify detection and defeat the unknown.

To learn more about how you can begin uncovering unknown threats and start protecting your critical infrastructure,

contact Thetaray today: www.thetaray.com | @ThetarayTeam | linkedin | facebook | Pinterest

Documents

Thetaray Case Study