Stamus-Networks-Blog

Uncovered with Stamus Security Platform: High Entropy Domain Connections

Written by Peter Manev | Jul 18, 2024 2:26:00 PM

In this series of articles, we explore a set of use cases that we have encountered in real-world customer deployments of our network detection and response solution, Stamus Security Platform (SSP). In each case, we work to explain what we found, how we found it, and why it matters.

Background

In this scenario, the Stamus Security Platform (SSP) was deployed as part of an evaluation program during a proof of concept with a potential customer. Several other network detection and response competitors participated in the evaluation. The deployment included a full-featured Stamus Central Server and a Stamus Probe with a 10Gbps capacity. The environment was a typical corporate financial institution with many public and private facing applications, on-site and remote users, SaaS applications, server infrastructure, and remote offices. 

In any default installation, Stamus Network Probes have built-in mechanisms such as AI beacon encryption detection, anomaly detection, homoglyph detection, Host Insights, and more, but they also include over 100k+ detection methods/signatures in addition to 2-5 million IoCs that match on DNS domains, TLS certificates, and HTTP hosts and can be enables with the simple click of a button. 

What we found and how we found it

One detection technique that can be employed by SSP is the Newly Registered Domain (NRD) threat intelligence with Entropy (AI-based detection) communication. 

In this example, communication was detected on both Encrypted (TLS-based) and base64 encoded newly registered domains. The offending NRDs had high entropy names, calculated based on AI algorithms. 

Those events – with their respective related flow, anomaly, network protocol, and file transaction logs plus a PCAP as network forensic evidence – were automatically escalated. 

Let’s take a look at both examples: 

HTTP plus base64 encoded 

In the image below you can see HTTP-based communication to three high-entropy NRDs. The domains themselves were part of the HTTP Hostname during those communications: 

All of those domains were created/registered 2-4 weeks ago and at the time of the writing were already being flagged by other Threat Intel vendors as malicious.

Stamus Security Platform NRD intelligence automatically calculates entropy and flags any communications that are “high-entropy”. Because of this, we know that these domains were created/registered between 2 and 4 weeks ago and that they are likely malicious. 

The communication of three examples shown below was automatically escalated due to a combination of factors, without using any vendor (Threat Intel known lists): higher entropy of the names, newly/first time seen communication, newly registered domains

Below are screenshots from VirusTotal showing their analysis of each of the three domains. This confirms their malicious statues, but Stamus NRD detection automatically escalates domains without the assistance of any third-party vendors or threat intelligence lists. Escalation is based on a combination of entropy, the time the communication was first seen, and the date of domain registration. 

This domain was created 24 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/establishmenttoenailinside.com

This domain was created 30 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/credicorp-register.ng

This domain was created 16 days ago (at the time of escalation): https://www.virustotal.com/gui/domain/selfevidentvisual.com 

This is a good start. We can see that we have actual clear text communication, but where is the evidence?

The screenshot below shows an actual alert event that was triggered with obvious clear text HTTP-based communication and an included PCAP for evidence.

Here we have highlighted one case where a communication to a CnC server occurs: 

Highlighted below is the actual payload where we can observe a base64 form of encoding: 

Using the integrated CyberChef tool in SSP, we can decode that payload to easily see the exfiltration and configuration parameters of communication to other CNC servers: 

The main thing to note here is the highlighted portion:

“https://vid41c [.] site/”

This domain is also highlighted in virustotal and is a recently registered domain: https://www.virustotal.com/gui/domain/vid41c.site

This image shows part of the CNC exfil and config information, which is visible from the decoded portion of the CNC communication: 

The communication includes information on the OS, browser, and other details about the infected system, partly shown on the screenshot above.

TLS

In the screenshot below, we can observe escalated AI-enabled Entropy-based NRD communication over TLS. 

These security events/alerts are based on TLS encrypted communication transactions. An automatic evaluation shows they are using high entropy TLS SNI. As a result, they have been highlighted and escalated. Upon further investigation, all were proven to be 100% malicious or otherwise unwanted activity.  

How it Happened

In the scenario described in this article, these NRD communications began with an unauthorized browser extension plugin that managed to bypass the local organizational security policy. 

There are many different aspects to the detection techniques provided by the Stamus Security Platform, and as a result it is not always only detection that matters. The ability to investigate, audit, and review different security events and data prior to an incident and evaluate which systems and users were impacted is essential. In this example, SSP was deployed during a POC which unfortunately does not allow for the same depth of information that only extended amounts of time on a network can provide. Despite this, the ability for SSP to quickly identify and investigate the NRD communications proved valuable to the evaluating organization. 

Why This Matters

It is important to remember that no detection mechanism can uncover all threats. Multiple layers of defense that address different parts of the security monitoring spectrum should be an essential part of any successful security strategy. 

Without multiple automated detection mechanisms, an organization's security team could miss malware, ransomware, botnets, advanced persistent threats (APTs), data exfiltration, remote access trojans (RATs), rootkits, social engineering, lateral movement, policy violations, phishing, or hundreds of other threats. 

The ability to rely on a combination of multiple detection logics and methods empowers defenders to perform faster and more meaningful detections with less available time. 

The examples shown in this article were automatically escalated by the Stamus Security Platform with no previous knowledge of the current infrastructure. Given the proof/evidence accompanying those, it is unfortunate but obvious that a breach has occurred. This was not detected by any of our competitors deployed during the same time of the evaluation or the organization's EDR.

A fully enabled and SOAR-integrated Stamus Security Platform deployment would have been able to prevent the exfiltration and communication even though it managed to bypass the existing EDR, firewall, and other detection systems deployed in the organization.

To read more articles in this series, check out these "Uncovered with Stamus NDR" blogs:

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.