In this series of articles, we explore a set of use cases that we have encountered in real-world customer deployments of our network detection and response solution, Stamus Security Platform (SSP). In each case, we work to explain what we found, how we found it, and why it matters.
Background
In this scenario, the Stamus Security Platform (SSP) was deployed as part of an evaluation program during a proof of value with a potential customer. Several other network detection and response competitors participated in the evaluation. The deployment included a full-featured Stamus Central Server and a Stamus Probe with a 10Gbps capacity. The environment was a regular corporate financial institution with many public and private facing applications, on-site and remote users, SaaS, server infrastructure, and remote offices.
In any default installation, Stamus Network Probes have built-in mechanisms such as AI beacon encryption detection, SIGHTINGS, homoglyph detection, Host Insights, and more, but they also include over 100k+ detection methods/signatures in addition to 2-5 million IoCs that match on DNS domains, TLS certificates, and HTTP hosts and can be enables with the simple click of a button.
What we found and how we found it
What was immediately observed, highlighted and automatically escalated (among billions of network security events) during the initial stages of deployment was communications from a well known actor/malware - DarkGate.
During the initial stages of deployment the Stamus Security Platform immediately observed, highlighted, and automatically escalated (among billions of networks security events) communications from a well known threat actor / malware – DarkGate.
DarkGate is commonly known to operate under a Malware-as-a-Service (MaaS) model. Created in 2018, Darkgate has been maintained and sold by a user known as RastaFarEye on various dark web cybercrime forums. According to Any.Run, DarkGate’s creator only offers 30 subscription seats priced at $15,000 per month. The following description comes from Malpedia:
“First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.”
The screenshot below is from the Stamus Security Platform Coverage page. It shows an automatically escalated event, known as a Declaration of Compromise™. A Declaration of Compromise™ (DoC) signals an imminent threat on an asset that needs immediate investigation and remediation.
In this image we can see that the established and confirmed clear text communication has been highlighted with included detection logic. Also available for review from this incident are logs, PCAPs, and various detection methods. Something incredibly interesting about this example is that the threat was escalated due to the observation of established clear text communication, which is a very obvious and conclusive indicator of malicious activity happening in “broad daylight”.
The screenshot below is similar to the previous one, now highlighting the last seen date which can be used to gauge activity of the threat actor:
The next image is from our Host Insights investigation page for the breached asset, which showcases all the DGA-type communications done by the host. Host Insights includes over 60 security-related communication attributes that are constantly detected and tracked for each individual host.
In this image, you can see that the SIGHTINGS tab has been highlighted. SIGHTINGS highlights any previously unseen or novel communications. In this example, we can see that there is a sudden burst of verbose and random values, which is a good indication of malicious communications.
The following screenshot comes from Stamus Security Platform’s Hunting dashboard, further confirming many other similar occurrences from the same breached host:
The next image shows part of the malicious communication services using different hostnames with DGA namings. This is seen as part of the Host Insights investigation tab containing all the remote malicious hosts, their used services, and the different details about those communications. In this case, it showcases the HTTP service and different hostnames used by the offending/attacking host:
All evidence is readily available as depicted on the screenshot below, including the actual protocol, flow, file transaction logs, and PCAP network forensic evidence as proof of ongoing malicious communication. In this case it is a SIGHTINGS event highlighted by the Stamus Security Platform:
As mentioned, the full PCAP is also available for further review and network forensic evidence:
How it Happened
In the scenario described in this article, the Stamus Security Platform identified and automatically escalated malicious activity by a well known threat actor. All this was done while tracking all aspects of any relevant security communications made by the breached host and preserving all evidence, including network logs and PCAPs.
Upon investigation it was found that the deployed EDR tooling was either misconfigured or brought down by the attacker, hence leaving the network as the only viable visibility medium available.
There are many different aspects to the detection techniques provided by the Stamus Security Platform, and as a result it is not always only detection that matters. The ability to investigate, audit, and review different security events and data prior to and after an incident and evaluate which systems and users were impacted is essential. In this example, SSP was deployed during a POV which unfortunately does not allow for the same depth of information that only extended amounts of time on a network can provide. Despite this, the ability for SSP to quickly identify and investigate the unwanted exploitation activity proved valuable to the evaluating organization.
Why This Matters
It is important to remember that no detection mechanism can uncover all threats. Multiple layers of defense that address different parts of the security monitoring spectrum should be an essential part of any successful security strategy.
Without multiple automated detection mechanisms, an organization's security team could miss malware, ransomware, botnets, advanced persistent threats (APTs), data exfiltration, remote access trojans (RATs), rootkits, social engineering, lateral movement, policy violations, phishing, or hundreds of other threats.
The ability to rely on a combination of multiple detection logics and methods empowers defenders to perform faster and more meaningful detections with less available time.
The examples shown in this article were automatically escalated by the Stamus Security Platform with no previous knowledge of the current infrastructure. Given the proof/evidence accompanying those, it is unfortunate but obvious that a breach has occurred. This was not detected by any of our competitors deployed during the same time of the evaluation.
A fully enabled and SOAR-integrated Stamus Security Platform deployment would have been able to prevent the exfiltration and communication even though it managed to bypass the existing EDR, firewall, and other detection systems deployed in the organization.
To read more articles in this series, check out these "Uncovered with Stamus NDR" blogs:
- Uncovered with Stamus Security Platform: High Entropy Domain Connections
- Uncovered with Stamus Security Platform: Tapped on the Shoulder
- Uncovered with Stamus Security Platform: Spyware Missed by EDR
- Uncovered with Stamus Security Platform: ModiRAT
- Uncovered with Stamus Security Platform: Shadow IT
- Uncovered with Stamus Security Platform: Danger in the Data Center
- Uncovered with Stamus Security Platform: User Agents Tell the Story
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
