Detecting Cobalt Strike beacons in NetFlow data

In the current era of cyber security, realistic threat simulation is performed in order to bring the resilience of organizations to real attacks, to a higher level. The goal of a Red Team is to simulate attacks in a realistic manner, whereas the Blue Team tries to keep out adversaries. When analysing threat actors and their tool set, Cobalt Strike is prominent and used in the wild for good and bad. Even Advanced Persistent Threats (APTs) make use of this software. Within this research we provide insights in the approach for detecting beaconing traffic that is generated by Cobalt Strike as part of its attack infrastructure. We propose a detection algorithm based on four identifying network related features, which prove to be able to identify Cobalt Strike TCP beacons with an accuracy of 99.996%.

[1]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[2]  B.J. Wood,et al.  Red Teaming of advanced information assurance concepts , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[3]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[4]  Satoshi Kondo,et al.  Botnet Traffic Detection Techniques by C&C Session Classification Using SVM , 2007, IWSEC.

[5]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[6]  Chen Lu,et al.  Botnet traffic detection using hidden Markov models , 2011, CSIIRW '11.

[7]  Jasper Snoek,et al.  Practical Bayesian Optimization of Machine Learning Algorithms , 2012, NIPS.

[8]  Norbert Pohlmann,et al.  CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis , 2013, Comput. Networks.

[9]  J. Dreijer StealthWare-Social Engineering Malware , 2015 .

[10]  Thomas Shrimpton,et al.  Marionette: A Programmable Network Traffic Obfuscation System , 2015, USENIX Security Symposium.

[11]  Thomas Ristenpart,et al.  Network Traffic Obfuscation and Automated Internet Censorship , 2016, IEEE Security & Privacy.

[12]  Tobias Scheffer,et al.  Malware Detection by HTTPS Traffic Analysis , 2017 .

[13]  Ali Dehghantanha,et al.  BoTShark: A Deep Learning Approach for Botnet Traffic Detection , 2018 .

[14]  Amazon CloudFront , 2018, AWS® Certified Advanced Networking Official Study Guide.

[15]  Maria Rigaki,et al.  Bringing a GAN to a Knife-Fight: Adapting Malware Communication to Avoid Detection , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[16]  Dijiang Huang,et al.  A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities , 2019, IEEE Communications Surveys & Tutorials.