<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Uncovered with Stamus Security Platform: High Entropy Domain Connections

In this series of articles, we explore a set of use cases that we have encountered in real-world customer deployments of our network detection and response solution, Stamus Security Platform (SSP). In each case, we work to explain what we found, how we found it, and why it matters.

Background

In this scenario, the Stamus Security Platform (SSP) was deployed as part of an evaluation program during a proof of concept with a potential customer. Several other network detection and response competitors participated in the evaluation. The deployment included a full-featured Stamus Central Server and a Stamus Probe with a 10Gbps capacity. The environment was a typical corporate financial institution with many public and private facing applications, on-site and remote users, SaaS applications, server infrastructure, and remote offices. 

In any default installation, Stamus Network Probes have built-in mechanisms such as AI beacon encryption detection, anomaly detection, homoglyph detection, Host Insights, and more, but they also include over 100k+ detection methods/signatures in addition to 2-5 million IoCs that match on DNS domains, TLS certificates, and HTTP hosts and can be enables with the simple click of a button. 

What we found and how we found it

One detection technique that can be employed by SSP is the Newly Registered Domain (NRD) threat intelligence with Entropy (AI-based detection) communication. 

In this example, communication was detected on both Encrypted (TLS-based) and base64 encoded newly registered domains. The offending NRDs had high entropy names, calculated based on AI algorithms. 

Those events – with their respective related flow, anomaly, network protocol, and file transaction logs plus a PCAP as network forensic evidence – were automatically escalated. 

Let’s take a look at both examples: 

HTTP plus base64 encoded 

In the image below you can see HTTP-based communication to three high-entropy NRDs. The domains themselves were part of the HTTP Hostname during those communications: 

updated image 1

All of those domains were created/registered 2-4 weeks ago and at the time of the writing were already being flagged by other Threat Intel vendors as malicious.

Stamus Security Platform NRD intelligence automatically calculates entropy and flags any communications that are “high-entropy”. Because of this, we know that these domains were created/registered between 2 and 4 weeks ago and that they are likely malicious. 

The communication of three examples shown below was automatically escalated due to a combination of factors, without using any vendor (Threat Intel known lists): higher entropy of the names, newly/first time seen communication, newly registered domains

Below are screenshots from VirusTotal showing their analysis of each of the three domains. This confirms their malicious statues, but Stamus NRD detection automatically escalates domains without the assistance of any third-party vendors or threat intelligence lists. Escalation is based on a combination of entropy, the time the communication was first seen, and the date of domain registration. 

This domain was created 24 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/establishmenttoenailinside.com

This domain was created 30 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/credicorp-register.ng

This domain was created 16 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/selfevidentvisual.com 

This is a good start. We can see that we have actual clear text communication, but where is the evidence?

The screenshot below shows an actual alert event that was triggered with obvious clear text HTTP-based communication and an included PCAP for evidence.

Here we have highlighted one case where a communication to a CnC server occurs: 

updated image 5

Highlighted below is the actual payload where we can observe a base64 form of encoding: 

Updated Image 6

Using the integrated CyberChef tool in SSP, we can decode that payload to easily see the exfiltration and configuration parameters of communication to other CNC servers: 

Image 7 Obfuscation new

The main thing to note here is the highlighted portion:

“https://vid41c [.] site/”

This domain is also highlighted in virustotal and is a recently registered domain: https://www.virustotal.com/gui/domain/vid41c.site

This image shows part of the CNC exfil and config information, which is visible from the decoded portion of the CNC communication: 

The communication includes information on the OS, browser, and other details about the infected system, partly shown on the screenshot above.

TLS

In the screenshot below, we can observe escalated AI-enabled Entropy-based NRD communication over TLS. 

These security events/alerts are based on TLS encrypted communication transactions. An automatic evaluation shows they are using high entropy TLS SNI. As a result, they have been highlighted and escalated. Upon further investigation, all were proven to be 100% malicious or otherwise unwanted activity.  

Updated Image 10

How it Happened

In the scenario described in this article, these NRD communications began with an unauthorized browser extension plugin that managed to bypass the local organizational security policy. 

There are many different aspects to the detection techniques provided by the Stamus Security Platform, and as a result it is not always only detection that matters. The ability to investigate, audit, and review different security events and data prior to an incident and evaluate which systems and users were impacted is essential. In this example, SSP was deployed during a POC which unfortunately does not allow for the same depth of information that only extended amounts of time on a network can provide. Despite this, the ability for SSP to quickly identify and investigate the NRD communications proved valuable to the evaluating organization. 

Why This Matters

It is important to remember that no detection mechanism can uncover all threats. Multiple layers of defense that address different parts of the security monitoring spectrum should be an essential part of any successful security strategy. 

Without multiple automated detection mechanisms, an organization's security team could miss malware, ransomware, botnets, advanced persistent threats (APTs), data exfiltration, remote access trojans (RATs), rootkits, social engineering, lateral movement, policy violations, phishing, or hundreds of other threats. 

The ability to rely on a combination of multiple detection logics and methods empowers defenders to perform faster and more meaningful detections with less available time. 

The examples shown in this article were automatically escalated by the Stamus Security Platform with no previous knowledge of the current infrastructure. Given the proof/evidence accompanying those, it is unfortunate but obvious that a breach has occurred. This was not detected by any of our competitors deployed during the same time of the evaluation or the organization's EDR.

A fully enabled and SOAR-integrated Stamus Security Platform deployment would have been able to prevent the exfiltration and communication even though it managed to bypass the existing EDR, firewall, and other detection systems deployed in the organization.

To read more articles in this series, check out these "Uncovered with Stamus NDR" blogs:

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.

Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

Feature Spotlight: Custom Report Generator

In today’s digital landscape, enterprise networks produce an overwhelming volume of data when...

Uncovered: SSP Identifies Massive Breach During Evaluation

For many organizations considering Network Detection and Response (NDR), one of the most valuable...

Feature Spotlight: Attack Surface Inventory

As all cybersecurity defenders know, visibility into the network is the key to understanding what...