In this two article series, I am going to explain how to spot anomalous activity in proxies and DNS queries coming out of your network. Additionally, I am also explaining how to recognize suspicious threat infrastructure, what elements you need to pay attention to, how this infrastructure behaves, what are the challenges for the defender and I will also present a solution worth considering when hunting down this infrastructure in an enterprise environment.
To start hunting threat infrastructure we are going to look at the activity generated by your proxies and DNS. In a previous post, I explained some hunting techniques to use when investigating DNS logs. The richness of proxy logs allow you to hunt for different sort of activities such as drive by downloads looking at the fields ‘Referrer’ and ‘URI’ , malware looking at the ‘User Agent’ field or ‘Host’ and some other activities like data exfiltration. There are different suspicious activities and you can find some of them in the following link associated to their log fields.
I will focus in the URI field and Referrer mainly because these 2 fields point the user to a resource in internet that may be suspicious or will compromise your network. URLs are the value of this field and we will discuss them in this post. These URLs are the link between your organization and the threat infrastructure of the attacker, which he leverages to compromise and control your network.
There are some interesting components of an attack that I will describe very briefly such as drive by downloads, malware delivery networks, fast flux networks and dynamic DNS.
All these components are currently the link between you and your attacker. A simple visit to a URL can redirect you to another URL and serve you an exploit through the landing page. An image is worth hundred words.
As an example for Exploit Kit detection – a good practice is to search for http code 302 and 200, which indicate that a url redirection and a landing page was loaded. Do not forget this is normal activity however it may not be depending on the value of your url and the analysis results you obtain from it. This url is primarily the tip of the iceberg and the first hit against the malware delivery network
Once the compromise has happened the malware will phone home to receive commands, extend the foothold and perform any sort of activity coded in the malware. This last step in which malware is served or is calling home through the malware delivery network, is the most important to understand for a defender. Modern botnets and malware use what is called fast-flux techniques, Dynamic DNS and DGAs to evade eradication and add confusion to the defender.
The main idea behind a fast flux network is to map multiple IP addresses to the same DNS name, so the domain name resolves very quickly, usually in minutes, to different IPs.
These IPs do not host the backend server, they only proxy the query and they send it to a backend server. This provides the attacker a big grade of resilience, cloaking and savings since they do not need to duplicate the backend of the malware delivery network.
Is a legitimate technology that allows businesses to host resources sitting on constantly changing IP addresses. An example would be an individual or small company which needs to host resources on top of a dynamic IP. When the IP is constantly changing Dynamics- DNS has the benefit of being able to map that resource to that constantly changing IP. This particular feature of DNS makes it very attractive for the criminal who needs to constantly change the IP address of his malware delivery network to avoid detection. Dynamics DNS can be perfectly detected in the URL field. Not all dynamic DNS domains are malicious however they are one isolated indicator that in conjunction with others can automatically flag up the malicious nature of the url. Dynamics DNS is in essence an effective technology to evade IP blacklisting.
I already mentioned DGA in a previous article.
This technology helps to avoid domain blacklisting using randomly generated disposable subdomains. Similar to fast flux however the difference is that for that dynamic dns the IP falls in the addressing space of one ISP and 1 or 2 ASN´s (autonomous system number) and for fast flux the IP falls in different ASN´s or different IP´s scattered across multiple geographic locations.
Let’s now look at some potential options for the attacker to deliver the attack, parked domains, legitimate compromised domains and shady domains.
They are legitimate resources on the internet, they are usually single page with ads that provide a very limited value to the user who visits them. These domains are registered by typosquatters or legitimate domain registrars that want to monetize the visit of users who might land on the main page.
The trick is the following, sometimes these domains get mixed with malicious practices and content, the page can serve malvertising or get compromised and serve malware.
Legitimate compromised domains:
This option is easy to understand, a vulnerable site that is not well maintained can be compromised and be used for malicious purposes.
In the internet revolution nearly 40 years ago we started with 6 TLDs (top level domains) such as .com”, “.net”, “.org”, “.gov”, “.mil”, and “.edu”. In later decades internet evolved quickly and until today we have around 1,000 TLDs. The proliferation of TLDs is supporting the internet development however it also poses a severe risk since it is impossible to monitor them for malicious activity and that´s how some of these Shady Domains support exclusively malicious content.
The biggest challenge here for the defender is to block or disrupt the communication to defend against these attacks without causing collateral damage having to block or take down shared domain names, IP addresses hosting different sites or block name servers used by different domains.
In the next article I will tackle this issue and I will explain what tools we have available to detect, block, research and track this malicious infrastructure. I did not only want to present what is possible to detect but also how malware currently behaves since some of the activity described above will be seen in the analysis of the url´s you find in your proxy logs. I have seen analysts go crazy since they were not able to explain why tools and automation rules were reporting clean sites or different IP’s every time the domain is resolved creating the mentioned confusing situation in them to effectively evade detection as explained before.
In the meantime if you are looking to hunt in your proxy logs I recommend you the following resources. I have taken some time hunting in proxies and they will be helpful to understand what sort of activity is possible to detect in them. As always, it will take time for you to put all the information together but it is the same process I had to go through that will make hunting in your proxy logs second nature. Hunting is an endless learning process in which we need to strive to understand what is possible and also be able to catch up with coming techniques.