Defense Spotlight: RITA
Attackers have changed their methods to hide from network monitoring tools. Their tactics now blend with normal network traffic and use encryption, making it harder for traditional IDS tools to detect them.
RITA, made by Active Countermeasures, is a free tool that finds attacker C2 by analyzing unusual network activity, without inspecting packet contents like traditional IDS tools. It detects patterns used by C2 tools.
RITA analyzes offline network logs from Zeek (not live traffic) and works best with logs from 24 hours or more. It helps analysts find and respond to threats in the network.
Fundamentally Different Network Behavior
RITA is based on the idea that attacker C2 traffic is different from normal network activity. Normal traffic varies in protocols, ports, and data amounts, while C2 often shows unusual patterns:
Long connection duration between C2 and the victim endpoint
Lots of consistent data sizes in packets used for heartbeat checking
Consistent packet intervals (within a C2 sleep timer)
Consistent packet intervals within a jitter metric (skew)
A total session size or byte count consistency
RITA detects attacker C2 in an organization by spotting common behaviors, even for new C2 tools, without needing to know specific frameworks.
We'll cover the detailed steps in the lab.
RITA
First, make a folder for the Zeek data. Then, use Zeek to read the packet capture file, ignoring TCP checksums, and save the logs. After that, import the logs into a RITA database called "mynetwork." Finally, create and open the RITA HTML report for "mynetwork."
RITA's HTML report shows results in categories like:
Beacons: Regular connection timing
Strobes: High packet bursts
DNS: Detailed DNS analysis
Deny List Sources: Connections from blocked IPs
Deny List Destinations: Connections to blocked IPs
Deny List Hostnames: Blocked hostnames
Long Connections: Long TCP sessions
User Agents: Web browser info
After importing Zeek data into a database, we can use RITA to analyze it. For example, we can check beacon results with rita show-beacons database-name
. By default, RITA shows the output as CSV, which we can save for Excel. Using the -H option shows the data in a readable table format.
Let's jump into a Lightning Labs event to reinforce this learning objective.
1) Zeek is a sophisticated tool for threat detection, but it can also be a straightforward tool for converting packet capture files into easy-to-read logging data.
Let's take a look. Run ls
to list the files in home directory.
2) In this event you will convert the data in the packet capture to Zeek logs.
Zeek writes the log files in the current directory. To keep the logs separate from other files, make a directory with the name logs.
3) Next, run Zeek with the arguments -C and -r ../falsimentis-netedge.pcap to convert the pcap file to the Zeek log format.
4) Run ls
to list the files in the current directory.
Zeek has produced several log files that summarizes the activity from the packet capture. The files are organized by different names that correspond to analysis categories (connections, DNS activity, HTTP requests, weird traffic, and more).
5) Take a look at several lines of the conn.log file using head.
The Zeek connection log summarizes a lot of information about network connections including source and destination IP, ports, protocols, traffic transferred and more!
Beacon Analysis
RITA is a tool for threat hunting that helps analysts. Unlike network IDS, it doesn't try to pinpoint a specific attack or threat group. Instead, it presents information for analysts to interpret, requiring some knowledge. Let's explore how RITA offers insights to help you find threats in your network.
We'll look at the Beacons assessment from RITA's HTML report. Beaconing happens when a hacked system regularly contacts a control server. These beacon packets ask for instructions, like downloading a file or running a command. Many C2 frameworks use these packets at set intervals, often every minute, 5 minutes, or 10 minutes. The attacker waits for these beacons to give tasks, so the time between them is usually short.
RITA identifies threats by looking at beaconing patterns. A score close to 1, like 0.996, shows consistent packet activity over time. A score of 1 means perfect timing, where a host sends packets at regular intervals (e.g., every 10 minutes). A score slightly below 1 might indicate network delays or lost packets but still suggests a potential compromise.
Long Connections
RITA highlights long connections as a threat indicator. Typically, devices connect, share data, and then disconnect. However, some command-and-control tools, like Meterpreter, maintain a TCP connection for a long time. This method helps RITA identify threats in the network without needing to recognize specific C2 tools.
This shows RITA's readable output (-H) using the show-long-connections option. It reveals internal hosts connecting to various internet targets on TCP/443 for long periods.
DNS Analysis
RITA includes a DNS analysis that shows if DNS tunneling tools like DNSCat2 are present. The example uses RITA's default CSV output with the show-exploded-dns option. This output has three columns: the queried domain from the internal host, the count of unique subdomains, and how many times the internal system queried those subdomains.
Most domains have a few dozen to hundreds of subdomains. However, some, like Cloudflare and dyn.com, create unique subdomains for each customer. In this case, totallynotevil.org shows unusual behavior with its number of subdomains.
DNS tunneling tools like DNSCat2 create many unique subdomains to bypass DNS caching. RITA's assessment shows that totallynotevil.org has 7,822 subdomains, which is much higher than other domains and suggests a strong network compromise.
RITA is a Threat Hunting Tool
RITA is a tool to help analysts hunt for threats, not to give a ready list of compromised hosts for immediate action. Use RITA as a starting point, but you'll need your skills in gathering data, analyzing, and capturing packets for more info on the systems.
Use RITA results to learn about remote endpoints linked to local systems. Check IP info with Bing, SHODAN, Pulsedive, or Threatcrowd. A long connection to a Windows Update server probably isn't a compromise. Capture local network data with netsh trace or Wireshark to get more insights into activity and potential issues.
You can mark safe sites, like Microsoft Windows Update servers, by adding their IP addresses to the RITA config.yaml as trusted. For malicious sites, add their IPs to the deny list in the same file for future checks.
Lab 5.5: Real Intelligence Threat Analytics
In this lab, we'll use Real Intelligence Threat Analytics (RITA) from Black Hills Information Security. RITA ingests Zeek logs and analyzes the data to reveal anomalous activity that could be evidence of system compromise.
In this lab, we will look at how two different beaconing tools work, which are difficult to find with standard detection methods.
The first utility is VSAgent, a backdoor that connects every 10 seconds. It sends Base64-encoded messages over HTML.
The next tool is called DNSCat2 by Ron Bowes. DNSCat2 replicates the functionality of Netcat using DNS for the C2 channel.
RITA uses MongoDB to save Zeek analysis results. Let's start the Mongo database service from our terminal like this.
We have about 24 hours of network activity recorded in Zeek logs for a network where an attacker uses the VSAgent C2 framework. Let's use RITA to import and analyze this data.
There're also about 24 hours of network logs showing an attacker using the DNSCat2 tool to control a system. Let's use RITA to analyze this data.
Let's analyze Zeek logs with RITA and use its HTML feature to review the data. We'll create an HTML report for all imported data.
The rita html-report
command creates a report in the rita-html-report
folder and opens it in Firefox. The report has two review options: vsagent
and dnscat2
.
First, let's open the VSAgent report. We'll use the tabs at the top to check different RITA analysis modules. For VSAgent, let's focus on Beacons and User Agents.
Some C2 backdoors have a regular heartbeat, meaning they keep reconnecting to get commands from an attacker at set times. The "Score" measures how consistent this timing is, with a perfect score of 1 indicating perfect timing. The best example is the VSAgent backdoor, which shows a strong connection between the victim (10.234.234.100) and the attacker (138.197.117.74).
We have data on the number of connections. Some beacons have strong but short heartbeats. RITA's analysis shows that the VSAgent logs had many connections at regular intervals, while others, like the 65.52.108.* addresses, had strong heartbeats but fewer connections.
Now, let's check the browser User Agent strings. This helps find systems and apps that need updates.
In this example, the second-to-last entry shows a connection count that matches the Beacons analysis. If one system repeatedly uses the same User Agent string among thousands of systems, it’s worth investigating further.
Next, we'll look at the DNSCat2 analysis in the RITA report. Let's click the RITA menu and select the DNSCat2 report. We're going to check out a backdoor that's different from VSAgent.
The Beacons report for DNSCat2 shows a low score and few connections. Unlike VSAgent, DNSCat2 is good at avoiding detection on the network.
Let's click on the DNS analysis option to get the clearest look at this backdoor.
There were 82,920 requests for cat.nanobotninjas.com, which is an unusually high number of subdomains for a lesser-known domain.
Let's dig deeper using the original Zeek logs for more details.
Zeek generates DNS logs for 24 hours of network activity, but the data is compressed and split into files. We can use zgrep
to search through all the files at once.
Once we find the suspicious domain with many subdomains, we can get the related logs from the compressed Zeek DNS logs. We'll use the zgrep command, like grep, to search for the "nanobotninjas" string in the compressed logs.
The zgrep output shows Zeek connection logs with many DNS TXT requests from 10.234.234.105 to the subdomain cat.nanobotninjas.com.
In this lab, we explored VSAgent and DNSCat2 C2 frameworks, which are hard to spot with normal tools. But with RITA's analysis, we found unusual patterns that can help identify threats from advanced attackers.
Last updated