What is RITA?

RITA is an open-source network threat hunting tool designed to identify malicious command and control (C2) activity. It ingests Zeek connection logs and uses behavioral analytics to identify potentially compromised systems.

Why do we need threat hunting?

Perimeter defensive tools like firewalls and IDS protect your valuable systems. A solid incident response plan allows your team to contain and eliminate a discovered threat. But how do we identify when your protective layers have failed and incident response is needed? What happens when an attacker is already inside? It is clear from the evidence that preventative and reactive measures are woefully insufficient. The average time to identify and contain a data breach has remained virtually unchanged for the past seven years — a shocking figure considering the average cost. And needless to say that while the financial consequences are significant, the final impact surpasses it. Loss of personal information has impacted millions of people, and rising breaches in the healthcare and critical infrastructure industries have placed vital services at risk of failure.

Why RITA?

The one absolute constant we, as threat hunters, can rely on is that malware must call home. By analyzing network traffic, we can detect C2 calling home regardless of platform and without the need of endpoint agents. Unfortunately, scouring through log data by hand and reading individual connection entries is unlikely to alert you to potential C2 activity. For better fidelity, behavior and pattern analysis needs to look at the communication between an internal and external host over time. Persistency is the key attribute we look for when searching for compromised systems. RITA looks for the primary indicators of this persistency, allowing you to focus on vetting the activities flagged by its findings.

RITA’s analysis stage splits these primary indicators of persistency into separate modules, allowing results to be viewed based on a specific indicator. Let’s look at some of the main modules that make up this analysis.

Beacons

Beacons are repeating “heartbeat” communications between a pair of hosts. While some beacons are innocuous, a compromised system will use beaconing to continuously request instructions or exfiltrate data, allowing an attacker to maintain a persistent presence on the network. RITA identifies and scores four different types of beacons. We recommend investigating hosts with scores over 85% to verify that the associated network traffic fulfills a legitimate business need.

IP

An IP beacon may indicate that a compromised internal system is communicating with a C2 server at a specific IP address. This module analyzes connections between an internal source IP and an external destination IP pair.

$ rita show-beacons

Web

Web beacons are cases where an internal host communicates with a C2 server through a CDN. The CDN will spread out the C2 traffic over multiple IPs and mix it in with legitimate traffic. RITA reverses this process to make C2 connections clearly visible.

$ rita show-beacons-sni

Proxy

Environments that use one or more proxy servers for external communication may struggle to identify beacons due to the proxy server appearing as the destination of an HTTP/HTTPS request. This module uses Proxy CONNECT header information to determine the originally requested destination for its beacon analysis.

$ rita show-beacons-proxy

Strobes

Internal to external host pairs that trigger a new connection one or more times per second are called strobes. Since these are indisputable beacons based on the frequency of communication alone, they are not scored and instead presented as a list sorted on connection count.

$ rita show-strobes

Scoring Breakdown

The score of each beacon is determined by four factors.

Timestamp Analysis - Time interval consistency between sessions.

Datasize Analysis - Size consistency between sessions

Histogram Analysis - Frequency of sessions over time

Duration Analysis - Persistency of channel within timeframe

Exploded DNS

A compromised system may leverage DNS to set up a C2 channel by encoding data in the FQDN or query portion of a DNS request. To avoid DNS caching and ensure that the local resolver forwards the request, the malware will use a unique query for every request by varying the FQDN. This results in thousands of separate resource requests to a single parent domain. This module displays the unique FQDN count and total DNS lookups for each domain.

$ rita show-exploded-dns

Long Connections

Long connections can be an indicator of well-established malware, allowing a compromised system to receive commands and exfiltrate data without constantly checking in with the C2 server. Longer sessions also create fewer log entries, making them difficult to detect. This module displays a sorted list of the longest connections and their source and destination hosts.

$ rita show-long-connections

User Agent

User agent strings can also function as indicators of compromise. Malware might use a weird or uncommon user agent string or alter one to make it appear as if it was coming from a browser or client other than the one infected. Detecting and vetting such irregularities can assist you in determining whether a communication is malicious or benign. This module displays a list of unique user agent strings found in the dataset.

$ rita show-useragents

Threat Intel

Threat intelligence feeds contain information on potentially malicious hosts based on attack information accumulated through various sources. You can customize which feeds this module uses in its analysis. Results display a list of the potentially malicious matches split into three categories: hostnames, IPs contacted via an outbound connection, and IPs that initiated an inbound connection.

$ rita show-bl-dest-ips

$ rita show-bl-source-ips

$ rita show-bl-hostnames

Getting Started

RITA runs on Linux and can be installed either manually or with our automated install script on Ubuntu 20.04 LTS, Debian 11, Security Onion, and CentOS 7.

You can find instructions for both of these on the RITA GitHub repository.

github.com/activecm/rita

Check out the Active Countermeasures website for some great webcasts to help you get started.

activecountermeasures.com

Tips and Tricks

Format module results into easy-to-read tables by adding -H to the command:

$ rita show-strobes <dataset> -H

Create a simple HTML summary of all module results:

$ rita html-report <dataset>

You can filter results of any module by using grep. One example is to create a text file with the IP addresses to exclude (one per line) and use it when piping into grep:

$ rita show-beacons <dataset> | grep -v -w -F -f <filename>

If you find a suspicious result, you can use your Zeek logs to gather more context clues about the hosts or connections. Check out the Useful Threat Hunting Scripts article for some examples.

Most modules have thresholds that can be adjusted via RITA’s configuration file. The beacon modules also allow you to customize the weight each subscore (see Score Breakdown in Beacons section) has on the final score.

In memory of Rita Strand