Hunt Teaming: Finding Covert Malware on Your Network with Open Source Tools
Real Intelligence Threat Analytics (RITA) is an open source project that analyzes your network traffic to identify which of your internal systems have been compromised. Specifically, it identifies malware “calling home” to its Command and Control (C&C) servers. There are no agents to install, so RITA verifies all devices regardless of operating system or hardware. RITA can inspect encrypted sessions while maintaining data privacy and integrity. Unlike a classic intrusion detection system, there are no signatures to maintain. RITA is specifically designed to scale to Internet link speeds in the gigabit range.
In this talk we will discuss how dnscat2, DNSMessenger, and other similar malware tools use Domain Name Services (DNS) for bidirectional communications through a secured Internet perimeter. We will also describe what makes these traffic patterns different from legitimate network traffic. Finally, we will show how RITA can be used to detect these malicious communications, even when the attackers have gone to great lengths to hide their tracks.