Researcher To Open-Source Tools For Finding Odd Authentication Behavior

Rather than watching for communications between infected systems and command-and-control servers, companies can detect stealthy malware when it attempts to spread

3 Min Read
Dark Reading logo in a gray background | Dark Reading

A number of security firms detect malware by monitoring outbound connections and looking for traffic going to known bad areas of the Internet. Other intrusion detection systems look for code designed to exploit known vulnerabilities.

Yet companies can also monitor internal traffic for strange patterns that do not resemble normal user behavior. Breachbox, a set of tools for detecting pass-the-hash and other authentication attacks, does just that, says Eric Fiterman, founder and developer of cybersecurity startup Spotkick, who plans to release the tools at the Black Hat Briefings in Las Vegas later this summer.

The tools, which he has used in his own consulting engagements, do not mine data from log files -- which could be changed by attackers -- but instead capture network traffic and monitor it for strange user-authentication behavior.

"It is built to mine information based on raw captures and look for patterns that indicate that an adversary has acquired a privileged account and is using that to maneuver his way around the network," Fiterman says.

Pass-the-hash is an attack technique first suggested in 1997, where an attacker can pass a security token or a password hash to a variety of internal systems to gain access to those systems. While the attack is more than 15 years old, it can still be fairly effective in most environments. In a Black Hat 2012 presentation, two penetration testers from Northrup Grumman showed that many of the techniques for passing the hash still work (PDF).

Using Breachbox, companies can set up a server and feed it packet captures from the network to run after-the-fact analyses. Or the server can listen to network traffic in real time -- either inline or out-of-band -- to look for anomalous authentication activity. The system looks for machines from which a user attempts to log into another machine under a different username, or multiple login attempts at a range of servers.

"In most cases, authentication looks a certain way," Fiterman says. "It is predictable: You log in in the morning and then go to different network resources. Breachbox looks for things that are out of the ordinary."

It is a technique used by larger security firms as well. Well-known startup Crowdstrike, which plans to unveil more details of its services next week, has a similar capability, says Dmitri Alperovitch, the firm's chief technology officer. When attackers attempt to spread inside a company's network, they will typically use brute-force guessing, key-logging, as well as pass-the-hash attacks to infect more systems.

[Because malware increasingly uses a variety of domain techniques to foil takedown efforts and make their command-and-control servers harder to locate, DNS traffic becomes a good indicator of compromise. See Got Malware? Three Signs Revealed In DNS Traffic.]

"It's important to detect lateral movement, so we have the ability to look for attack as they attempt to propagate," says Alperovitch.

Fiterman hopes that by outsourcing the techniques and technologies, other researchers and consultants will experiment and find better use for the tools. Like many other data analysis tools, Breachbox is not a technology that can be quickly deployed and then forgotten, he says.

"The thing about Breachbox and solutions like it is that they require smart people to install them, run them, and manage them," he said. "This is not something that you can fire and forget."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights