How to Detect Botnet Beaconing That is Blocked By Your Firewall

Discussion created by RSA Admin

on Sep 4, 2012
Latest reply on Oct 25, 2013 by RSA Admin

Like • Show 1 Like1
Comment • 25

NetWitness NextGen can actually detect compromised endpoints on your network by detecting connection attempts to known Command and Control servers- connection attempts that are being blocked by your firewall or smart proxy. Also, if known C&C hosts get blackholed, those bots out there will still try to communicate, and we can see these. Here's how you do it.

Step 1: Deploy Zero Payload Rule. Create a rule on the decoders to identify packets that have zero payload. The rule should be called "Zero Payload" with the contents of the rule simply being "payload=0" Deselect the option to stop rule processing and set the rule to alert into the Alert field. Packets such as this are typically SYN connections.
Step 2: Create an Informer Chart. Create a chart in Informer that looks for instances of this rule firing to all destination IP addresses that are listed in our 3rd party Threat Feed lists. The rule for this chart should look for
ip.dst WHERE alert='zero payload' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
and turn that rule into a chart. Track the top 15 items.
Step 3: Create your white list of known good destination organizations. As you begin investigating the results of this chart and rule you will invariably find known IP destinations that are trusted. Like Google, a host in a common CDN, etc. Add these destination organizations to this whitelist referenced in the rule of Step 2.

When deployed in the field, I typically see several connection attempts to known bad destinations. And since it is a chart, you will begin to see the timed pattern of the traffic as well. What this usually represents is a compromised source IP address that is attempting to connect to a blocked or blackholed destination, or you have orphaned malware that is trying to call home. Those sources should be pulled from the network for re-imaging or similar internal IR process.

Outcomes

25 Replies

RSA Admin Sep 7, 2012 12:46 PM
The below dashboard in Informer shows all botnet activity in an organization. Click the image to see the full size. The stacked charts on the left show the Zero payload activity going to three distinct meta elements: the destination IP, the destination organization and the destination country. Taken together, an analyst can instantly understand all of the meta surrounding the zero payload packets attempting to go outside of the organization.

Notice the distinct orange beaconing pattern to 41.168.5.140? According to a simple Google Search, this activity is associated with a malicious PDF trojan. The link takes you to Wepawet's analysis of the malware. We didn't see the initial infection, but it is clear the source IP is compromised and needs remediation.

The right hand stack of charts shows our botnet parsers detecting payload of qakbot activity to a known bad destination. With both stacks of charts on the dashboard, an analyst has instant, realtime access to his enterprise's botnet activity, regardless of the payload.
Like • Show 0 Likes0
Actions
- RSA Admin @ RSA Admin on Apr 18, 2013 11:54 AM
  Hi,
  
  I had a question in regards to this rule/chart.
  
  I followed what you said above, but I cannot get this to work.
  I am getting no results on the Dashboard.
  
  There were a few things I was not sure of along the way, so maybe that's the issue.
  I added an App rule in the Decoder(I'm assuming it was an App rule) as stated above.
  I did not call it Zero Payload tho, as we already had a rule created with that name when PS came in here to set things up.
  Instead I have called it Botnet Beacon and have made the change in your query line as well to that name:
  ip.dst WHERE alert='botnet Beacon' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
  
  I added this to the rule and chart in Informer as well.
  
  I was unsure where to do the whitelist so I added it to the List Library.
  Maybe that's my issue?
  I am also getting this error below when I look Define Dashboards.
  I see the rule but am not sure why I am getting this.
  I am still new to this so I am sure I missed something somewhere.
  
  Any help would be appreciated.
  
  Thank you.
  Like • Show 0 Likes0
  Actions
  - Rui Ataide @ RSA Admin on Apr 18, 2013 12:09 PM
    You need to remove "ip.dst WHERE" from both your Where: clause statements. Making them only:
    
    alert='botnet Beacon' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
    
    Hope that helps!
    
    Regards,
    
    Rui
    Like • Show 0 Likes0
    Actions
    - RSA Admin @ Rui Ataide on Apr 18, 2013 12:17 PM
      Hi Rui,
      
      I just tried it but it still shows no results.
      Plus I am still getting that error when I look Define Dashboards.
      
      thanks
      Like • Show 0 Likes0
      Actions
      - Rui Ataide @ RSA Admin on Apr 18, 2013 12:31 PM
        Ah! Yes, just noticed that your list name is different on the definition of the list and the rule, they need to be the same.
        
        Also it seems like you have domain names instead of organization names, look on investigator for the "Destination Organization" value or use a simple report with
        
        Select: org.dst
        Where: org.dst exists
        
        If you get the top 10 or so organizations you should see the most common for your environment.
        
        Apologies, I didn't look through it all in detail once I noticed the previous issue.
        
        Hope that helps!
        
        Rui
        Like • Show 0 Likes0
        Actions
        RSA Admin @ Rui Ataide on Apr 18, 2013 12:43 PM
        Also, watch your capitalization. Your Informer rule is looking for 'botnet Beacon'. Should just be 'botnet beacon'
        
        Also, wait until you start getting results before you filter things out in your whitelist.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ RSA Admin on Apr 18, 2013 12:44 PM
        Oh, and those lists are only good for up to 100 meta elements. You probably won't have to filter more than a dozen "good orgs"
        Like • Show 0 Likes0
        Actions
RSA Admin Apr 18, 2013 1:47 PM
Rui, Fielder,

It looks like my list wont work with this, if the limit is 100.
The list I am using is the same list we use with the firewall and that list has 1700+ names on it.
If this 100 is the limit, then I will have to save this for when I have time to get it down to 100 names.

Thanks guys.. really appreciate your guidance with everything.
Like • Show 0 Likes0
Actions
- RSA Admin @ RSA Admin on Apr 18, 2013 1:50 PM
  Org.dst is different than alias.host. Leave your list empty for now and put in org.dst based on results of your analysis based on results. I guarantee you won't ever need to exceed 100 orgs.
  Like • Show 0 Likes0
  Actions
  - Rui Ataide @ RSA Admin on Apr 18, 2013 1:58 PM
    As Fielder said, even if you could that list wouldn't work, there's no payload on these sessions so there will be no information about those domains.
    
    You really need to rely on the org.dst or domain.dst keys as these are based out of GeoIP information.
    
    Hope that helps!
    Like • Show 0 Likes0
    Actions
RSA Admin Apr 18, 2013 4:17 PM
OK I think you guys lost me somewhere.

I removed the names on that list. I still have the list in informer, but this is the only thing in it:

//List of acceptable download sources
//If listed name matches org.dst, filter from charting

The rule now looks like this:
alert='botnet beacon' && org.dst exists && org.dst != '$goodorgs' && threat.source exists && threat.source!='netwitness'
I am still getting the error when I look at Define Dashboards and when I look at my normal Dashboard view, it still says no results.

.
Like • Show 0 Likes0
Actions
- RSA Admin @ RSA Admin on Apr 18, 2013 4:25 PM
  It looks right. Do you get results when you test the rule? Did you turn it into a chart and activate it?
  Like • Show 0 Likes0
  Actions
  - RSA Admin @ RSA Admin on Apr 18, 2013 4:45 PM
    i get no results when i test the rule.
    i get no results when i test the chart.
    i still get this msg when i look at Define Dashboard.
    Like • Show 0 Likes0
    Actions
    - RSA Admin @ RSA Admin on Apr 18, 2013 4:54 PM
      So step it back and make sure your rule is working first defining the botnet beacon rule. Do you see the rule fire in the alert meta in Investigator? If not, move that rule to the top of your decoder rule order. Wait a while to see if it fires.
      
      When it does, and I'm certain it will, test your informer rule to get results without the where clause except for alert='botnet beacon.' With Informer you will have to wait until the top of the hour rollover to see results in the test rule.
      
      By the way, I went up to the rules you had posted and you have some interesting stuff about redkit and IE8 exploits. Do those rules work? If so, feel free to post those in a thread on here!
      Like • Show 0 Likes0
      Actions
      - RSA Admin @ RSA Admin on Apr 18, 2013 4:56 PM
        Also, I think your dashboard chart is referencing a rule no longer there. Delete that dashboard item and recreate it and it should get rid of that error.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ RSA Admin on Apr 18, 2013 5:09 PM
        actually i have deleted it from the dashboard several times.
        im checking those other things now but i do see it in the Alerts bucket in investigator.
        
        to be honest i have so much on my plate with netwitness i cannot confirm if those other 2 rules you asked about work or not.
        i think those were set up by PS when they were here.
        i am the only one doing NetWitness so when i get a chance i will take a look and see if they work or i can post them for everyone to play with.
        and being new to this whole forensics field makes it all the more fun...(sarcasm)... actually i love learning this stuff. it is a lot of fun playing detective.
        
        i will have to continue this tomorrow and post updates.
        
        thanks so much guys.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ RSA Admin on Apr 18, 2013 5:05 PM
        My bad. The chart is referencing a rule that has been changed or deleted. Delete that chart and recreate it from your rule. If you are seeing the alert in investigator, copy and paste that into your informer rule to be sure of spelling and run the test. You should see results.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ RSA Admin on Apr 19, 2013 11:57 AM
        I think I am going to have to give up on this one.
        I have deleted everything and started from scratch, but still get no results when I test the chart.
        We do have a Decoder App rule that's the same as the one you posted in the article called zero payload, so we will just use that one I guess.
        I was curious to see if we would get different results with this rule.
        
        Thanks for all the help.
        Like • Show 0 Likes0
        Actions
        Rui Ataide @ RSA Admin on Apr 19, 2013 12:04 PM
        If you have the "Zero Payload" rule already I would try with that just to be sure. It might a simple typo that we are missing somewhere or something like that.
        
        It won't hurt to try if you have the time.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ Rui Ataide on Apr 19, 2013 12:09 PM
        Hi Rui,
        
        That Zero Payload does work but I am not sure what the difference between these 2 would be, which is what I was curious about.
        This is the rule for it:
        
        Select org.dst
        Where alert='zero_payload'
        Like • Show 0 Likes0
        Actions
        Rui Ataide @ RSA Admin on Apr 19, 2013 12:16 PM
        Probably the " " versus the "_" or maybe the location of the rule in the list, the rules are evaluated sequentially and there are some rules that will cause the evaluation to stop. Namely, filter and truncate rules normally tend to stop the evaluation.
        
        Have a look at that and see if that helps.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ Rui Ataide on Apr 19, 2013 12:38 PM
        i created the rule again on the decoder and placed it above the other zero payload rule, again calling it botnet beacon.
        i then created the rule again in informer, but when i test it i get nothing.
        Like • Show 0 Likes0
        Actions
        Rui Ataide @ RSA Admin on Apr 19, 2013 12:49 PM
        Can you see it in investigator, if you create a custom drill with it? Remember the cache.time.window setting can affect your results. Also for Informer in some cases the results only run from the top of the previous hour backwards so that could be causing your issues.
        
        If you can post screen shots of the rule in Administrator, the custom drill in Investigator and Informer content that might help. Feel free to e-mail me directly if you prefer.
        
        Thank you,
        
        Rui
        Like • Show 0 Likes0
        Actions
        RSA Admin @ Rui Ataide on Apr 19, 2013 12:59 PM
        i will send you the screenshots offline in a few minutes.
        
        thanks rui
        Like • Show 0 Likes0
        Actions
RSA Admin Oct 25, 2013 9:26 PM
As an additional comment on this rule/chart, I'd like to suugest you push the majority of the processing down to the decoder and make the informer/Reporter query much simpler.
First rule:
zero payload
      payload='0'
           (set to alert to 'risk.info')

Ssecond Rule:
    zero payload to threat sources
        risk.info='zero payload' && threat.source exists && threat.source!='netwitness' && org.dst exists
           (set rule to alert to 'alert')

Informer/Reporter Rule
     Select: ip,dst
     Where: alert='zero payload to threat sources' && org.dst != '$Good Org Dests'

Create Chart from rule

This puts most of the rule load down on the decoder during capture, and you are only querying the system looking for one primary key value and the list of orgs. If the list of orgs gets too long, make a feed out of it.
Like • Show 0 Likes0
Actions

How to Detect Botnet Beaconing That is Blocked By Your Firewall

Outcomes

Related Content

Recommended Content

Select	org.dst
Where	alert='zero_payload'