In this post I share 9 links to resources related to Network Beacon detection.

Network beacons are continuous automated communications between 2 hosts. Network beacon detection focuses on identifying this automated traffic with the primary goal of aiding in detecting malware infections or adversary activity that have been missed by other controls.

Beacon detection is a useful building block analytic with many different usecases.

• Threat Hunting and Malware command and control (C2) detection - aid in detecting malware missed by anti-virus products.
• Detection of automated third party traffic - detection of ongoing automated traffic to third parties may reveal unknown or emerging business relationships.
• Identify automated web application dependencies (within an enterprise or external to an enterprise)

Links:

• Identifying beaconing malware using Elastic [code] by Apoorva Joshi, Thomas Veasey, and Craig Chamberlain - uses statistical techniques of coefficient of variation (COV), relative variance (RV), and autocorrelation; implemented as Elastic Painless scripts.
• Enterprise Scale Threat Hunting: C2 Beacon Detection with Unsupervised ML and KQL — [Part 1] [Part 2] [code] by Mehmet Ergene
• Detecting network beacons via KQL using simple spread stats functions by Alex Teixeira
• Detect Network beaconing via Intra-Request time delta patterns in Azure Sentinel [code] by Ashwin Patil
• RITA (Real Intelligence Threat Analytics) beacon analyzer - uses simple statistical approach based on 6 measures: connection time delta skew, connection dispersion, connection counts over time, data size skew, data size dispersion, and data size smallness score.
• How to detect beaconing traffic with Splunk? by Alex Teixeira
• Detect Beaconing with Flare, Elastic Stack, and Intrusion Detection Systems [code] by Austin Taylor
• BAYWATCH: Robust Beaconing Detection to Identify Infected Hosts in Large-Scale Enterprise Networks - uses FFT and periodogram based technique for identifying automated traffic.
• Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share 3 papers and 7 tools that focus on detecting cyber squatting domains (including typosquating, homograph, combosquatting, etc.).

• Detection of Cybersquatted Domains (Master’s Thesis) by Patrick Frischknecht
• Hiding in plain sight: A longitudinal study of combosquatting abuse
• Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse

Tools for generating cybersquatting domains (for use in detection)

• https://github.com/elceef/dnstwist
• https://github.com/atenreiro/opensquat
• http://www.morningstarsecurity.com/research/urlcrazy
• https://github.com/phar/eyephish
• https://github.com/SquatPhish/2-Distributed-Crawler
• https://github.com/SquatPhish/3-Phish-Page-Detection
• https://github.com/SquatPhish/4-Evasion-Obfuscation-Analysis

Lots of other tools/libraries now exist if you need an implementation in a different language. See these github tags for lots more tools: typosquatting, homoglyph, and homograph-attack.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share four papers that focus on detecting malicious lateral movement (a.k.a. pivoting, a.k.a. island hopping).

Papers:

• Latte: Large-Scale Lateral Movement Detection
• Detection and Threat Prioritization of Pivoting Attacks in Large Networks
• Towards an Efficient Detection of Pivoting Activity
• A Machine Learning Approach for RDP-based Lateral Movement Detection

Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share seven papers that focus on detecting Dictionary Domain Generation Algorithm (DGA) domains, A.K.A. Word-based DGAs. Dictionary DGAs are algorithms seen in various malware families (suppobox, matsnu, gozi, rovnix, etc.) that are used to periodically generate a large number of domain names that use pseudo-randomly concatenated words from a dictionary. These domains may appear legitimate at first glance and are often able to evade blacklisting as well as traditional DGA detections based on entropy or counts of consonants vs vowels. Below are a small sample of rovnix domains from Unit42’s blogpost.

• kingwhichtotallyadminis[.]biz
• thareplunjudiciary[.]net
• townsunalienable[.]net
• taxeslawsmockhigh[.]net
• transientperfidythe[.]biz
• inhabitantslaindourmock[.]cn
• thworldthesuffer[.]biz

Papers:

• Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning
• A Word Graph Approach for Dictionary Detection and Extraction in DGA Domain Names
• Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic
• Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings
• An Evaluation of DGA Classifiers
• A Novel Detection Method for Word-Based DGA
• A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

In a previous post, I also shared details on several models that are capable of effectively detecting dictionary DGA domains as well. Please see Auxiliary Loss Optimization for Hypothesis Augmentation for DGA Domain Detection.

Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

A short listing of cyber security data science research papers I’ve discovered recently. Each of them uses machine learning or enables ML (i.e. providing training data or enabling creation of training data) to solve various security usecases, and many provide open source code as well.

• BODMAS: An Open Dataset for Learning based Temporal Analysis of PE Malware. [data]. Other malware related training data can be found here.
• Compromised or Attacker-Owned: A Large Scale Classification and Study of Hosting Domains of Malicious URLs. [code] referenced in paper, but not live as of 4/24/2021.
• DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting. This uses an open source EDR tool named BLUESPAWN that I had not heard of before.
• DeepReflect: Discovering Malicious Functionality through Binary Reconstruction. [code]
• Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. [code]
• EXTRACTOR: Extracting Attack Behavior from Threat Reports. [code]
• On Generating and Labeling Network Traffic with Realistic, Self-Propagating Malware.
• Stratosphere: Finding Vulnerable Cloud Storage Buckets. [code]

If you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.