SOC analysts get 4,484 (average) alerts daily and can’t deal with 2/3 of them.
Read the 2023 State of Threat Detection Report
Command and control

Suspicious HTTP

Suspicious HTTP

Signs of Suspicious HTTP Requests

  • Software on an internal host is initiating one or more suspicious HTTP requests which form a pattern typically observed in command and control communications in recent malware samples
  • The suspicious pattern may be the result of any combination of the following: (a) incorrect or malformed User-Agent, (b) absence or presence and order of a variety of HTTP headers, (c) presence and regularity of beaconing of the request and (d) connections to geographies which have a higher likelihood of hosting command and control servers
  • While beaconing is a key driver of the threat score, the presence of all four factors causes the threat score to be at the top of the range. Combinations with fewer factors will score successively lower with combinations that don’t include beaconing being at the very low end of the range.
  • Suspicious User-Agent and suspicious HTTP header contribute strongly to the certainty score while geo and beaconing contribute weakly. Suspicious HTTP communication to multiple domains further increases the certainty score

Why Attackers Use HTTP Requests

  • Malware installed on the host may be communicating back to its command and control server(s)
  • Adware or spyware installed on the host may be communicating to its command and control server(s) or may be leaking data acquired on the host
  • Software installed on the host is emitting HTTP requests that share two or more patterns with recent known malware samples: (a) malformed User-Agent, (b) unusual collection of HTTP headers, (c) communicating in an automated pattern and (d) communicating to out-of-the-ordinary geographies

Business Impact of Suspicious HTTP Requests

  • An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
  • The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
  • Software which infected the host can create nuisances and affect user productivity

How to Investigate Suspicious HTTP requests

  1. Look up the domain and IP address to which the communication is being sent via reputation services to see if this is known malware; such lookups are supported directly within the UI
  2. Search for the domain + “virus” via a search engine; this is effective for finding references to known adware or spyware
  3. Download the supplied PCAP and look at the HTTP payload being sent to see if any data is being leaked in clear text or whether the identity of the program is visible
  4. If there is no known reason why the user of the system would communicate to the geography in question, ask the end-user for a possible reason for the communication

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections
Download
Vectra AI detections