Today's security teams need help in analyzing network traffic to find threats. More and more attackers are using encrypted traffic. Previously defenders would rely on DNS lookups to identify the type of traffic that an encrypted session contained, but with domain fronting and DNS over HTTPS (DoH) defenders are losing their visibility. Project Duma is about helping analysts uncover threats in encrypted traffic by attempting to classify both normal and suspicious use of encrypted protocols.
The hypothesis behind Project Duma is that although encryption hides the actual data in route, it doesn't hide the application behavior. The application state machine can be profiled by looking at which endpoint sends how much data and how quickly. For example, if the connection is a long one with a large amount of data with a near constant throughput rate (like 1-3 Mbps) it is likely to be a streaming media connection. This technique could have many applications in profiling TLS traffic and unknown protocols. The project begins with a focus on identifying interactive SSH sessions and reverse shells.
The Secure Shell (SSH)
The Secure Shell protocol was developed in 1995 to provide a secure login connection for remote machines . The protocol was intended to replace protocols like telnet and ftp that don't encrypt their traffic and send their authentication in the clear. The protocol became an IETF standard (RFC 4251) and is widely used for managing servers and transferring files.
Attackers want to use SSH because it provides them Command Line Interface (CLI) access to remote machines. If the attacker can further exploit the remote host to gain additional privileges or connect to additional hosts in the victim network they can use the encrypted network traffic to hide their exploits. Because SSH is so widely deployed for managing servers and remote connections attackers can abuse it while minimizing the amount of malware they have to install in the environment. Such a technique is called Living off the LAN and helps the attackers avoid detection.
Most security teams try to stop attackers by blocking inbound SSH traffic at their firewalls. But outbound SSH traffic is often allowed because developers want to SSH to their cloud instances or because the corporation needs to either send or receive files using the SFTP protocol. Astute security organizations will carefully limit what machines can use SSH to communicate to other machines outside their environment. However, with the increasing popularity of cloud services and SFTP to transfer files it is becoming difficult to police all those connections. This is especially true in the financial sector where we see an abundance of SFTP transfers and data sharing.
Project Duma looks beyond encryption to profile how the SSH protocol is being used. The protocol could be used to transfer files as in the case of SFTP. The protocol could also be used to remotely administer machines automatically through some scripts or other tools. It could be used interactively to control machines or it could be used as a reverse tunnel where although the SSH connection is initiated from inside the corporate network it is reaching out to an attacker who is actually sending commands to the machine that initiated the connection . Detecting these reverse shells is the ultimate target of the project.
Project Duma is currently in development and is showing some promising results. However, we are developing based on open sourced flows. These resources are typically published by universities for research and therefore don't accurately represent our customer base. Since the machine learning and data science approaches used in this project benefit from highly representative data we are looking for development partners that could contribute data sets for testing. If you or someone you know may be interested in partnering with us on this project please reach out and let us know by leaving your comments below.