The value of analysing metadata for threat hunting

Detecting threats in network communications

Significant volumes of data are generated every second of every day as we go about our daily lives. This data is generated by a number of devices which we either directly or indirectly use, from smartphones and smartwatches, laptops and computers, to smart enabled machinery and autonomous vehicles. Whatever the device is, it generates significant amounts of data which is shared across a network during normal communications. And if these devices have been compromised in some way, these communications can be vital in identifying the anomalous activity and potentially preventing a data breach.

With an ever-growing focus on the importance of cybersecurity, many of these devices will have some kind of endpoint security solution installed on them, such as firewalls or anti-virus software, but these are primarily designed to focus on what is happening on the device itself. But what about the communications between these devices?

The data shared in these communications can be key in helping to identify anomalous or unknown malicious activity that is evading endpoint security solutions before a malicious actor is able to cause an effect. But storing this voluminous data mass can be expensive, whilst sifting through the data can be challenging.

The solution? Extracting communications metadata can be a crucial capability when it comes to enhancing your existing security posture, offering a number of benefits to an organisation.

What is Metadata?

Metadata can be described as the ‘data about data’ and is often considered in the concept of photography. For example, an image taken on a digital camera can capture the related metadata, which could include information such as the date and time when the photo was taken, camera model, resolution, settings used, and the location of the photo. This is valuable information to the right person, but often rarely seen.

The same can be said for metadata within network communications. We don’t always need to know the content of what was said, but knowing who was talking to who, how they were communicating and when can be valuable information. Specifically, the metadata within network communications relates to information such as the IP addresses from which the communication was sent from and received, which protocols were used, the ports the data was sent and received by and even the applications used to send the information. This information is highly valuable to threat hunting and incident forensics teams, enabling analysts to piece details together to understand a much more comprehensive picture. Metadata makes searching and storing information simple, and because every file includes metadata from the time it was created, it can be modified or destroyed with the right tools.

This metadata can be very valuable when it comes to identifying anomalous or malicious activity within a network. Even sophisticated threat actors, capable of successfully evading endpoint security solutions will find it very challenging to hide their external communications to command and control or staging servers. This activity will always leave a trail, and threat hunting teams can use this to understand and map their activity.

What are some of the latest threats to be identified? What impact have they caused? How have they been identified? If at all?

New network threats are being discovered and exploited all the time, whether it be attributed to massive corporations’ software, or a small vulnerable program written by one person that’s used to run malicious code.

Possibly the largest threat that was identified recently has been the Log4Shell vulnerability.

Log4J is a very common logging system written in java and distributed by the Apache Software Foundation as open-source software. Back in 2013, a patch was created to add the use of the Java Naming and Directory Interface (JNDI). This allows potential threat actors to run a very specific string using JNDI to talk to their Lightweight Directory Access Protocol (LDAP) server and retrieve a malicious file from it. The file is then put onto the victim system and run. This vulnerability was not discovered until late 2021 and was given a severity score of 10/10 by the National Vulnerability Database.

Since its discovery, threat actors from all over the world, whether they are state-sponsored, hacktivists or script kiddies, have been utilising the vulnerability to pass malicious code to a specific system to steal data or cause serious damage to a company. The impact of this vulnerability is enormous as it’s determined that around 3 billion devices could be using Log4J and any unpatched systems are under threat of DDOS, Ransomware, Crypto-mining and Data theft attacks, to name a few.

A recent (white hat) vulnerability has also included a virus that affects Apple phones. This virus, named ‘NoReboot,’ was discovered in early January. It is stored in the RAM so should be wiped when the device is switched off. However, it stops the phone from being switched off and clears the virus from the memory. When the user attempts to switch the device off, the malicious code activates and mimics the process that turns the phone off, e.g. making the appropriate vibrations and making the screen black. The phone is still on at this point and the virus can continue to operate. It also mimics the phone turning back on, showing the logo, and waiting a certain time, to not draw attention from the user to something out of the ordinary. This vulnerability is impossible to identify physically as it perfectly mimics the shutdown and boot up procedure. This virus was developed and tested by ZecOps but could pose a threat if used by external actors to spy on users as the camera and microphone will remain active.

This is of particular concern following the rapid and widespread adoption of remote working over the past few years, likely resulting in many employees using their devices more for business purposes or being provided work phones. This has increased the threat landscape significantly, offering many more potential targets for threat actors to exploit.

Why is it important to identify these threats?

2021 saw a record number of identified vulnerabilities with 20141 CVEs generated. Nearly 2000 more than the previous record year of 2020. So far in 2022, 2136 vulnerabilities (as of the start of February) have been identified. Whilst the number of CVEs being identified will no doubt continue to increase, the impact of these vulnerabilities can vary from essentially not being a threat at all, to crippling companies and halting food/fuel supplies. This has been highlighted in recent events such as the ransomware attack against KP snacks, a large snack distributor in the UK which is highly likely to result in a shortage of supply for 6 – 8 weeks. Last year we saw another ransomware attack against JBS Meat Supplier in the US, resulting in a negative impact against America’s meat supply chain.

Whilst the victims of such attacks will inevitably brace the main impact of such an attack, resulting in financial damage, loss of revenue, damage to reputation and stocks, the impact of such attacks are also felt much wider than the company itself. In regard to both of the attacks above, food and snack supplies to the hospitality and retail industry were affected, causing a knock-on impact to the retailers and bars or restaurants who fell short on supply, as well as individuals.

How can the Telesoft Product Suite help detect threats by monitoring network communications?

Telesoft’s TDAC Platform is comprised of a number of intelligent hardware and software components. Sensors capture every communication in your network, providing full visibility whilst a data lake ingests and records all of this data.

Every flow record captured is enriched with threat intelligence. IP and domain reputation lists enable alerting of known threats. Geographic location and ASN mappings allow unexpected endpoints to be quickly identified and flagged. Signature-based intrusion detection alerts on suspicious activity, whilst buffering allows for packet data to be captured and recorded, even before the potential threat occurs.

To provide further analysis capability, the sensors support automated detection of tunnelled traffic, including GRE, GTP, MPLS and IP-in-IP, enabling visibility of the encapsulated flows. In addition, encrypted flow fingerprinting methodologies are utilised to identify threats within encrypted traffic without decrypting it, reducing latency and maintaining the privacy and integrity of the communication.

TDAC also utilises machine learning, behavioural analytics and historical baselining to monitor and identify anomalous flows, alerting the user with full flow analysis in real time. Combined with high-rate flow monitoring and intrusion detection capabilities, the TDAC Platform provides the full suite of tools to support Incident Response, Digital Forensics and Threat Hunting teams.