Threat hunting

Threat Hunting for Mismatched Port – Application Traffic

Ifeanyi Egede
August 10, 2018 by
Ifeanyi Egede

 

Indicators of compromise or IOCs are evidence indicating a breach of security. IOC includes virus signature, IP address, Hash value of Malware, Malicious URL and Domains, C2 servers, etc. Documenting and monitoring of these IOCs help organizations to react proactively to overcome security breaches.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Mismatch Port – Application Traffic is one of the top 15 Indicators of compromise according to security researchers which is often observed in current security breaches. Threat Hunting and Incident response team are coming up with tons of innovative and proactive measures to overcome this issues, by focusing on both external attributes via gathering and sharing Intelligence and Hunting for anomalies within the environment not detected by traditional security mitigations.

What is Mismatch Port – Application Traffic

Ports numbers vary from 0-65535, In which port 0-1023 are system ports or well-known ports, port 1024-49151 are user port or registered ports and port 49151 to 65535 are dynamic ports or private ports. If an application is using an unusual port which pretends to be a normal application port, then it indicates a sign of compromise. Therefore, this indication of compromise is said to be a Mismatch Port – Application Traffic.

This includes both inbound and outbound connections which often takes place over an open port. For instance, an infected host sending C2 communication masked as DNS request over the port 80. The requests may look like to be a normal DNS query, but upon investigating those queries, the result would show that "the traffic is going across a non-standard port."

How to detect Mismatch Port – Application Traffic

Mismatch Port - Application traffic comes under the Command and Control Phase of the Cyber Kill Chain life cycle. Attackers normally utilize common (HTTP, HTTPS, SSL/TLS or DNS) or custom protocols to build Command and Control (C2) channels over them. Enabling them with covert remote access over the target network or infrastructure.

These Custom protocols are challenging to forecast, but include procedures such as encrypting packet data with an XOR Cipher. Just like with protocols, attackers generally use common network ports or uncommon network ports for their C2 channels. Examples of standard ports are 80-TCP (HTTP), 443-TCP (SSL/ TLS), 53-UDP (DNS). Uncommon ports are difficult to predict and deviate from ports registered.

Attackers can use any of the combinations of protocols and ports which includes:

  • Common Protocol + Common Port
  • Common Protocol + Uncommon Port
  • Custom Protocol + Common Port
  • Custom Protocol + Uncommon Port

What to Hunt for?

Let us consider; an attacker is using a C2 channel that uses a custom protocol over a common network port. Here monitoring network port channels which are getting deviated from its original purpose is the key. For example, consider port 80/TCP, in this monitor the connections which are not part of the HTTP protocol and collect the artifacts which are related to the connections over the port 80 like domains, URLs, and User Agent Strings.

To identify the use of common protocols and port, it is needed to focus on the application protocol and logs generated by them such as Proxy logs, IIS logs, DNS resolution logs and HTTP, SSL, DNS, SMTP logs, etc. These artifacts may vary based upon the intensity of the hunt.

Uncover Patterns and IOCs

Consider the same port 80/TCP to identify the legitimate protocol connection on the common port. Search for all the HTTP protocol records that are available in a time span and identify the network sessions like firewall, Netflow, etc., on the common port for the same time.

Once the result is available, remove all the data which we got from the exercise. This leads to all the uncommon protocol connection on the common port. With the help of this result gather all the information like destination IP and destination port, bytes transferred, connection duration/length, etc., which are required for further investigation for a port mismatch.

Remediation

The destination IP address and destination port which are used to communicate with the C2 can be considered as IOCs. This IOCs can be added to an indicator database to expand the automated detection systems. A packet level signatures can also be created to trigger an alert when it reappears again.

References

http://www.carahsoft.com/wordpress/15-indicators-of-compromise/

https://www.isdecisions.com/key-indicators-compromise/

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

https://attack.mitre.org/wiki/Technique/

Ifeanyi Egede
Ifeanyi Egede

Ifeanyi Egede is an experienced and versatile freelance writer and researcher on security related issues with tons of published works both online and in the print media. He has close to a decade of writing experience. When he is not writing, he spends time with his lovely wife and kids. Learn more about how Ifeanyi Egede could be of help to your business at ifeanyi2excel@gmail.com.