Not All Data is Created the Same

May 21, 2019
Vectra AI Security Research team
Not All Data is Created the Same

Vectra customers and security researchers respond to some of the world’s most consequential threats. And they tell us there’s a consistent set of questions they must answer when investigating any given attack scenario. Starting with an alert from Cognito Detect, another security tool, or their intuition, analysts will form a hypothesis as to what is occurring.

Investigating data to look for beacons

They will then test their hypothesis by investigating the data to determine if they are looking in the right place or thinking in the right direction. Having access to the right data and insights can make all the difference in the investigation, both in terms of outcome and in the speed of achieving the outcome.

Consider the following scenario. Your team has learned about a banking trojan that uses a fake Google Chrome update to gain a command-and-control (C&C) foothold on the target system.

After an initial compromise via spear fishing or drive-by download, the exploited host downloads the full payload in the guise of a Chrome update before establishing the C&C channel and allow for further reconnaissance and lateral movement deeper into the network.

In this case, the implant calls back periodically to the attacker’s C&C infrastructure, which we would observe as beaconing behavior. Beaconing can be a weak indicator of potential malicious activity serving as the foundation for a C&C channel, or the call-back to fetch malware.

However, most commonly, beaconing is part and parcel of innocuous behaviors, such as your Smart TV or teleconferencing device reaching back to its home hub. Stock tickers and sports score updates are also notorious for beaconing.

How do you discover and identify the potentially malicious communication?

And if you find that communication is malicious, how do you respond?

This is precisely why Vectra uses AI engines to extract security insights that are embedded into our metadata before it is directly consumed by our customers or fed into our detection models. For instance, in the above threat hunting/investigation example, I want to be able to answer questions like:

  • Are there instances of beaconing observed in my network?
  • What external destinations are being beaconed to?
  • Which hosts are potentially infected, not just the IP address?
  • Does the beaconing cadence demonstrate unusual request/response frequency?
  • Is the payload size something I would normally see?
  • Does the beacon have a rare or unusual JA3 hash?
  • Is the traffic going to unusual external destination?
  • What is the privilege level of the hosts that are beaconing?
  • Are beaconing sessions obfuscated within a single, long connection?
  • Does the connection use unusual services and protocols?

Uncovering malware beaconing thanks to Cognito

The first step is to make sure that the attributes necessary to answer these questions are readily available to the security analyst.

Earlier this year we released Cognito Stream, which directly populates data lakes and security information event management (SIEMs) with Zeek-formatted network metadata that is enriched with these security insights.

Vectra customers use this security-enriched network metadata to leverage their existing custom tooling or analyze it with organization-specific models, such as policy and threat detection use cases.

Below is an example of the unique metadata attributes that are available as enriched metadata in Cognito Stream.

This is just the start. We have a full team of security researchers and data scientists who are on a mission to continuously increase the value of the network metadata in Cognito Stream through enrichments.

In future blogs, we’ll share details about other enrichments like JA3 popularity of clients and servers, web clusters, and domain popularity.