In this post I share 9 links to resources related to Network Beacon detection.
Network beacons are continuous automated communications between 2 hosts. Network beacon detection focuses on identifying this automated traffic with the primary goal of aiding in detecting malware infections or adversary activity that have been missed by other controls.
Beacon detection is a useful building block analytic with many different usecases.
- Threat Hunting and Malware command and control (C2) detection - aid in detecting malware missed by anti-virus products.
- Detection of automated third party traffic - detection of ongoing automated traffic to third parties may reveal unknown or emerging business relationships.
- Identify automated web application dependencies (within an enterprise or external to an enterprise)
- Identifying beaconing malware using Elastic [code] by Apoorva Joshi, Thomas Veasey, and Craig Chamberlain - uses statistical techniques of coefficient of variation (COV), relative variance (RV), and autocorrelation; implemented as Elastic Painless scripts.
- Enterprise Scale Threat Hunting: C2 Beacon Detection with Unsupervised ML and KQL — [Part 1] [Part 2] [code] by Mehmet Ergene
- Detecting network beacons via KQL using simple spread stats functions by Alex Teixeira
- Detect Network beaconing via Intra-Request time delta patterns in Azure Sentinel [code] by Ashwin Patil
- RITA (Real Intelligence Threat Analytics) beacon analyzer - uses simple statistical approach based on 6 measures: connection time delta skew, connection dispersion, connection counts over time, data size skew, data size dispersion, and data size smallness score.
- How to detect beaconing traffic with Splunk? by Alex Teixeira
- Detect Beaconing with Flare, Elastic Stack, and Intrusion Detection Systems [code] by Austin Taylor
- BAYWATCH: Robust Beaconing Detection to Identify Infected Hosts in Large-Scale Enterprise Networks - uses FFT and periodogram based technique for identifying automated traffic.
- Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification
The “short links” format was inspired by O’Reilly’s Four Short Links series.