With Corelight’s latest software release, v19, we are excited to announce the expansion of our Encrypted Traffic Collection (ETC). The ETC was introduced in late 2019, but as a reminder it’s a collection of security insights around SSL/TLS and SSH traffic comprised primarily of proprietary detections developed by the Corelight research team. With v19 we’ve substantially expanded the scope of SSH inferences package, and added identification of DNS over HTTPS (DoH). In this post, I will provide some further details and a hint into what the research team is working on next!
Corelight’s inferences build on Zeek’s powerful SSH analyzer that identifies the properties and characteristics of encrypted SSH connections. Along with the inferences mentioned in the last blog (bypass attempts, scanning, port-forwarding (tunneling), file transfers, interactivity (keystrokes) and brute force authentication), the SSH inferences now cover:
Agent forwarding: Identifies public/private key authentication requests to pass keys between systems using a local agent. Agent forwarding can be convenient to use but dangerous, as an attacker can easily harvest your key and use it to connect to other trusted systems.
“Auto” detection: Indicates when the client and server are exchanging data very quickly. This could indicate the connection is automated or scripted (the inverse of an interactive session where keystrokes are being typed by a human).
New authentication methods: Identifies the use of a variety of authentication techniques (including MFA) which adds context and reduces FPs in other inferences due to MFA.
Non-interactive: Detects the use of the rare ‘-N’ argument to SSH which allows a connection without any interactive terminal or command. This can be used to stealthily create a port forward or tunnel which could hide malicious traffic.
Reverse Tunnel: Detects a network tunnel initiated, in the reverse direction, to an existing established SSH session which can be used to bypass firewall policy, maintain a control channel, or proxy traffic.
DNS over HTTPS (DoH)
The use of DoH continues to increase, with both Firefox and Chrome supporting it by default in some configurations. While protecting DNS queries is an important step for privacy, encrypted DNS also complicates our job as defenders of corporate assets. Like other components of our Encrypted Traffic Collection, our DoH identification capability in v19 is for the cases where decryption isn’t possible. We hear loud and clear from defenders that having data about when DoH is being used in your environment is a critical first step to understanding the visibility issues it creates while also providing data for IR and threat hunting. Also, keep your eyes out for a DoH blog post coming soon.
SSH Stepping Stones
SSH is one of the most commonly used tools for remote administration of systems. It can also be used to establish malicious tunnels, exfiltrate data, and cover the tracks of attackers on your network. The SSH inferences that I described above are a robust set of data around the SSH connections on your network, but on their own they aren’t able to identify movement between SSH servers on your network… that’s where the SSH Stepping Stones detector comes in. Based on research work going back many years, this innovative detector uses statistical analysis to determine when related SSH connections are seen on the network and logs them.
Let’s consider this example scenario: I log into host A on our company’s network. From there I SSH into host B and from host B to host C. Each of those connections is a “stepping stone” and can be discovered by the detector, without decryption. A new log (stepping.log) is created to show the related SSH connections including their UIDs and time deltas. While the original paper acknowledges that there are many legitimate reasons people might use intermediary connections to move through a network, it also can be a sign of an attacker moving laterally, or obfuscating their origin as they attack your network or others. It’s another example of the power of analyzing encrypted connections with Corelight that we believe can help highlight unexpected SSH movement and detect attacks.
Of course like most of our content, there are user configurations available for most of these features and packages. You can whitelist away DoH servers that your company might be using and you can disable notices and tune most of the SSH inferences. You aren’t limited to what we provide, you can always run your own Zeek content on your Corelight sensors and now that we’ve introduced Suricata on our platform, you can load your own signatures too.
We hope that you like the new content we’ve created for v19 and of course there’s so much more coming. Keep watching our blog for news about upcoming releases, new 0-day detection and more.