A cornerstone of security operations is detecting malicious traffic, which is the process of identifying and analyzing activity within a computer network that intends to compromise its security. Encountering malicious activity is a certainty. Left unchecked, it can result in data theft and the distribution of malware. Detecting malicious traffic can provide early warning and allow for proactive steps to stop an attack.
Cybercrime-as-a-service, which is the term for goods and services that threat actors sell to other threat actors, has fueled the growth of internet crime. These services can include malware installation, spam, phishing, information-stealing malware, account checkers and ransomware-as-a-service (RaaS). All of these goods and services require infrastructure in place to support it. Tracking adversaries in this space, their infrastructure and the characteristics of their offerings can allow for the flagging of likely malicious traffic.
Picking up on malicious traffic before something worse takes place can avert a serious incident. Ransomware attacks, for example, don’t strike like lightning. There are separate, distinct actions involving malicious traffic that occur in a chain prior to the deployment of the file-encrypting malware component. For example, an infection by the Black Basta ransomware (suspected to be one of the successors of the Conti ransomware) could start with an initial infection of malware loaders such as Bokbot aka IcedID, DarkGate or Pikabot. The distribution of those loaders often starts with spam emails with download links leading to malicious URLs. If clicked, those URLs deploy the loaders and initiate infection chains. All of that malicious traffic offers opportunities for defense.
The question that security operations personnel often have to answer is whether a particular type of traffic is benign or malicious. Malicious traffic has telltale patterns that can be observed. Identifying these indicators of compromise (IoCs) within a network can highlight threats. Organizations use various methods in tandem to process and investigate novel indicators in order to stop emerging threats. Examples of commonly used methods to operationalize threat intelligence include:
Network detection and response (NDR): NDR continuously monitors network traffic for IoCs and suspicious behavior. It uses machine learning to model the tactics, techniques and procedures (TTPs) of threat actors so that fresh attacks can be identified with speed and mitigated effectively. They can also synchronize with other cybersecurity tools to speed up security investigations.
Endpoint detection and response: EDR is endpoint security software combining real-time continuous monitoring and the collection of endpoint and log data. It often includes rules-based automated response and analysis capabilities based on threat intelligence data pushed to an endpoint. It also aims to detect and investigate suspicious activity on hosts and endpoints.
Security information and event management (SIEM): A SIEM collects logs from numerous sources including endpoints, servers and services. The SIEM’s purpose is to organize and allow for the analysis and presentation of threat data. The SIEM also surfaces abnormalities, allowing analysts to take the appropriate action to limit risk.
How Can Malicious Traffic Detection be Improved?
Part of the challenge in detecting malicious traffic is that it’s ever-changing and ephemeral. Threat actors often change infrastructure to avoid IP address and URL blocking. Organizations must constantly update their IoCs in order to protect their organizations against both known and emerging threats. Cyber threat intelligence (CTI) can provide information regarding known and suspected threat actors and their infrastructure so that the malicious traffic can be blocked.
Intel 471’s approach is to track the activity of threat actors, their infrastructure, malware families and malware campaigns in real time via Malware Intelligence. It is powered by our patented Malware Emulation and Tracking System (METS). METS provides ongoing surveillance of malware activity at the command and control (C2) level, delivering near real-time insights and deep context in support of numerous cybersecurity and intelligence use cases. Intel 471 provides a regular stream of deep technical reporting, signatures (Yara/IDS), malicious infrastructure and IoCs associated with the top ransomware and stealer, banking and loader malware.
Intel 471’s Adversary Intelligence provides coverage over malicious infrastructure services, also known as bulletproof hosters. Bulletproof hosting (BPH) is a service provided by cybercriminals to cybercriminals and offers access to autonomous system numbers (ASNs) or other networks that have a low likelihood of responding to abuse or law enforcement requests. A BPH service may be used by actors to send spam that distributes malware, to host phishing pages and more. This tracking results in regular reporting of malicious IP addresses, netblocks/prefixes, ASNs, domains and other indicators. Oftentimes this infrastructure, which is controlled and operated by malicious actors, can be detected before it has been leased out for malicious purposes, providing a means of getting ahead before cyberattacks and campaigns are launched.
This high-fidelity, up-to-the-minute data can then be channeled into defensive activities. The types of IoCs our Malware Intelligence module collects include hashes, IP addresses and URLs. The lifetime of indicators is very short, so the timeliness is important. These IoCs can be ingested into threat intelligence platforms (TIPs), for example, and then SIEMs, firewalls and intrusion detection systems (IDSs). Subsequent defensive actions might include creating a firewall blocking rule or performing a retroactive threat hunt in SIEM logs. The following are more examples of how this threat intelligence can be operationalized.
Scenario #1: Intel 471 learns of a new change in a prominent BPH provider. Because of the long-term observance of threat actors associated with BPH, Intel 471 assesses with high confidence that IP addresses falling within the range of the BPH service can be confidently blocked, as no legitimate activity would originate from there.
Scenario #2: Botnet malware is dependent on C2 servers run by threat actors. Foothold or initial-stage malware such as loaders often infect a computer and then wait for further instructions, such as to download other types of malware (often referred to as a secondary payload) to the machine. The communication between malware and a C2 is a strong indication of malicious activity. This outbound communication can be blocked by a firewall immediately and the security operations team can investigate the endpoint.
Scenario #3: A well-known threat actor advertises a socket secure internet protocol (SOCKS5)/hypertext transfer protocol secure (HTTPS) proxy service on a cybercrime forum. The offering consists of a pool of thousands of IP addresses located in Asia and South America that the threat actor says can be used for brute-forcing accounts and for checking tools. A brute-force attack is when various username and password combinations are entered in an attempt to take over an account. The term checker is usually used for a tool or service that verifies data, such as the validity of an account. CTI collected from the threat actor indicates some of the networks and IP ranges where attacks may originate from, allowing for closer monitoring of that traffic for malicious activity.
Scenario #4: An employee of a targeted company receives a spam email with a download link. The link, which is hosted at a known BPH entity, leads to a malicious Excel document that then downloads the Zloader malware. Zloader subsequently downloads an information stealer from another known malicious IP, which then harvests credentials from the infected device. Eventually, those harvested credentials are then used to deploy ransomware. By proactively blocking the IPs that were included in the spam email and also led to the malicious Excel document, this ransomware attack could have been avoided.
Scenario #5: In order to evade blocking, one type of botnet is capable of updating the locations of the C2s that the malware communicates with on the fly. But these updated servers are not sent to all infected machines, rather only certain bots upon request. Our malware emulation captures in real time these additional controllers the very same moment actors release them to the selected bots, allowing for the blocking of C2s that are attempting to avoid detection.
For more insight into tracking and stopping malicious traffic, please contact Intel 471.
