Improving Threat-hunting Efficiency with the Multi-homed Attribute

July 9, 2019
Hsin Chen
Data Scientist
Improving Threat-hunting Efficiency with the Multi-homed Attribute

In a previous blog, we spoke about the importance of security enrichments in your network metadata. These serve as the foundation for threat hunters and analysts to test and query against hypotheses during an investigative process. Our data science team will continue to share examples of the work that we conduct in order to surface these enrichments.

Today’s example will focus on the multi-homed attribute that you can find in Cognito Stream, Cognito Recall and the underlying engines in Cognito Detect. This attribute empowers security teams with an extra level of efficiency as they determine whether an identified command-and-control or exfiltration channel might be malicious.

If you observe network traffic today, it is possible that a domain will resolve to multiple IPs. This is likely indicative of an external host that is part of a larger infrastructure. The command-and-control (C&C) channel of an attacker, unless leveraging obfuscation techniques, is unlikely to use such a large infrastructure. This is because best-practice operations security (OPSEC) dictates that an optimal attacker infrastructure should be siloed.

A siloed architecture not only creates a smaller footprint but also makes it difficult for an investigator to correlate separate attacks and determine intent. A larger attack infrastructure goes against the need to silo operations and makes it harder and more expensive for attackers to achieve their goals. Knowing whether traffic is going to an IP address delivered through a larger infrastructure can be helpful when investigating various external connections for command-and-control activity.

An investigator or threat hunter can use this to eliminate traffic going to these IP addresses and domains from their investigative surface area, effectively tempering false positives and improving efficiency in security operations center (SOC) processes. The rationale for removing this traffic is that advanced attackers will operate with best OPSEC practices and lower level attackers will avoid the cost and complexity of a larger infrastructure.

While it is represented as a single attribute in your underlying metadata, the generation algorithm is quite powerful. It is a dynamic model that is constantly listening to DNS traffic and extracting out A records and CNAMES. The model recursively resolves each A record and CNAME and then counts IP addresses associated with each domain. Because of the transitory nature of DNS mappings, the model is constantly learning and forgetting, ensuring the most up-to-date determination. A Boolean attribute referred to as HostMultihomed is now associated with the effective destination addresses and is present in the iSession, HTTP and TLS metadata streams in both Cognito Stream and Cognito Recall.

For more information, please contact your local Vectra representative. If you’re a Vectra customer and require guidance with the multi-homed attribute in your deployment, please reach out to your customer success manager.