SOVEREIGN ACTIVE THREAT HUNTING & NETWORK MONITORING SOFTWARE
Firebug in the Mitre Framework
Firebug is by design an active network cyber defence tool, and as such works best in a threat hunting environment with threat hunting workflows. At its most basic form, Firebug is a threat hunting lead generator with a specific focus on abnormal or unusual network traffic, specifically with relation to behaviours (and protocols) that are related to lateral movement and early-stage internal reconnaissance. Firebug’s unique method of handling network data also means that it does not limit its detection capability to attacks, it is also useful in exposing unwanted user behaviour and overall misconfiguration. This capability is mapped to Mitre Engage activities and Mitre Att&ck Tactics & Elements below.
Before diving into this mapping, it's important to understand Firebug’s capability through these sample use cases. They reflect this lead-generation concept and workflow, and such a capability precludes simple association of use cases with Att&ck framework strategies. Firebug does not detect these, but rather provides a platform to hunt them down. Firebug allows an analyst to expose those threats and identify where on the kill chain attackers are.
General Use Case
Firebug in general is used to provide:
-
Information on security relevant issues inside client networks from the perspective of the hosting network tap.
-
The ability to identify abnormal and potentially unwanted usage of lateral movement protocols (SMB, WinRM, LDAP)
-
The ability to identify issues in outbound traffic regardless of the existence of outbound firewall policy (or more likely the lack thereof)
These in turn provide:
-
Visibility of network issues (misconfigurations, attackers, insider threat) from a security standpoint.
-
The ability to identify, classify, and react to abuses and misuses of machines and protocols (ie, bad user behaviour) inside selected networks.
-
The ability to identify, classify, and react to outbound events (ie exfiltration, beaconing, unwanted service usage, etc) in selected networks regardless of firewall capability.
These activities through both Firebug’s statistic engine and the simple fact that it gives focused attention to network events align with Firebug’s placement in the Expose elements of the Engage matrix, specifically in Collection and Detection (see Mitre Expose below).
The broad detective capability of Firebug allows for more subtle abuses of machines and protocol that go undetected by policy-driven or tool detecting threat model security applications. Specific targets here are attackers trying to remain undetected by performing off-the-land attack styles.
Unwanted Service Detection Use Case
Firebug can be used to identify unwanted and unusual service usage inside selected networks. For example:
-
Firebug was deployed between BYOD network and internet gateway in client network.
-
Client did not have good visibility of outbound traffic from BYOD network.
-
Client had reason to believe users were using VPN/remote access software to bypass policy.
-
Firebug was able to detect these from a combination of unusual profile (VPN), rare usage (remote access), and target destinations (abnormal geolocations).
-
Reporting was able to allow the client to rectify these issues.
Firebug was able to detect this due to the pDNS capability inside Firebug acting in concert with the statistical deviation detection system at Firebug’s core. The behaviour of users using VPN and remote access software was detectable due to their rarity when compared with usual user actions. The fact that domains the remote access tools used were associated with known services was leveraged to extract these events from the Firebug log output.
Firebug performs in a similar fashion when used to detect attacker behaviour via IOC FQDNs (see Beaconing and IOC detection below). Firebug collects user actions, associates them with the used DNS queries via the pDNS system, and then forwards them as logs as the statistical detection system dictates. This allows for refined and targeted event generation for abnormal behaviour that correlates with DNS entries. This exists across both the Network Monitoring and Network Analysis cells in the Engage Matrix (see Mitre Engage).
Beaconing and IOC Detection
Firebug can be used to identify actor beaconing, exfiltration, and C2 traffic by virtue of its unusual nature and confirmed by known IOCs. One such example is the following:
-
Firebug was deployed between Client VPN and Client core network.
-
Firebug detected abnormal HTTPS behaviour emanating from the VPN network and passing outbound in the direction of the core switch.
-
Firebug was able to identify the remote endpoint FQDN and generate events accordingly.
-
Events were correlated with external threat intelligence data and remote FQDN was found to be a known IOC of known threat (in this case a C2 server)
-
Event was then acted on, affected machines were identified from event data and isolated, and mitigation steps were taken.
In this case the attacker had not yet begun using the C2 connection, it was still in a beaconing phase. This behaviour however was different enough from HTTPS traffic in the VPN network that Firebug was able to identify its novelty and need to generate events for it. This allowed defenders to take corrective action before the attacker was able to perform further actions.
Incident Response (IR) Lateral Movement Detection
Firebug’s rapid time to normalisation allows for drop-in deployments of the system into compromised environments. Firebug has been used in Incident Response (IR) scenarios to provide leads in the investigation process as part of a reactive threat hunting scenario. One such example is the following:
-
Firebug was deployed in the DMZ network of Client affected (and compromised by) Log4Shell attack.
-
Firebug was able to rapidly provide data on potential lateral movement, common talkers, and any LDAP protocol abuses (in Log4Shell’s case, outbound LDAP).
-
Firebug allowed the investigative team to rapidly identify and classify DMZ to broader network communications of concern.
-
Firebug ultimately gave Client confidence at the end of engagement that the network had been secured from the immediate threat and that no further lateral movement was at that point occurring.
Mitre Engage™
In the Mitre Engage Framework, Firebug falls into the first of the three pillars, Expose, for early detection of malicious actors on the network via active threat hunting and intelligence usage. Firebug performance fits into both Network Monitoring activities (for collection of network data) and Network Analysis activities (for determination of network anomalies requiring investigation). Firebug can be classified as an “internal intelligence” system, as it provides intelligence on network events from selected networks that, when combined with additional intelligence and threat hunting, can provide a potent cyber security capability beyond passive automated response tools.
Expose Pillar
Collect | Detect |
|---|---|
API Monitoring | Introduced Vulnerabilities |
Network Monitoring | Lures |
Software Manipulation | Malware Detonation |
System Activity Monitoring | Network Analysis |
Each of these activities breaks down into a series of attacker vulnerabilities or ways the attacker exposes themselves to a defender. These are aligned with a series of ATT&CK framework attacker tactics, like for example the Command and Control tactic. These are the activities in general that describe attacker kill chains in broad strokes. Each of these directly incorporate techniques of the Att&ck framework itself, the final state of the Engage to Att&ck mapping. These mappings do not identify which Att&ck strategies an active solution or strategy “detects” or “covers”, but rather which locations in the Att&ck kill chain each element can expose. This is important in the threat hunting methodology, as the approach is to identify where an attacker may be in the kill chain from events that are necessarily broader than what can be matched to any given Att&ck technique or subtechnique. In short: We’re not interested in detecting specific techniques, we’re trying to expose their user’s existence.
Mitre Engage & Att&ck Mapping
The table below presents an Engage to Att&ck passthrough that gives a broad level understanding of how Firebug “maps” from one to the other. This should give some idea of what Firebug is capable of doing from an Att&ck standpoint, and where it can fit into your security architecture.
ENGAGE Activity | ATT&CK Tactic | ATT&CK Element | Covered | Description |
|---|---|---|---|---|
Network Monitoring & Network Analysis | Command & Control | T1701 App Level Protocols | Yes | Firebug can detect sustained abnormal uses of protocols, even when encrypted |
Network Monitoring & Network Analysis | Command & Control | T1132.002 Data Encoding: Non-Standard | Partial | Can detect deviations from normal protocol behaviour |
Network Monitoring & Network Analysis | Command & Control | T1001.001 Data Obfuscation: Junk Data | Yes | Can detect deviations from normal protocol behaviour |
Network Monitoring & Network Analysis | Command & Control | T1001.003 Data Obfuscation: Protocol Impersonation | Yes | Can detect deviations from normal protocol behaviour |
Network Monitoring & Network Analysis | Command & Control | T1568 Dynamic Resolution | Yes | Firebug is inherently agnostic about source and destinations, consistent abnormal behaviour is still detectable. |
Network Monitoring & Network Analysis | Command & Control | T1573 Encrypted Channel | Partial | Firebug can detect abnormal uses of encrypted channels, though not what they are being used for |
Network Monitoring & Network Analysis | Command & Control | T1008 Fallback Channels | Partial | Firebug is inherently agnostic about source and destinations, consistent abnormal behaviour is still detectable. |
Network Monitoring & Network Analysis | Command & Control | T1105 Ingress Tool Transfer | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring & Network Analysis | Command & Control | T1104 Multi Stage Channels | Yes | Firebug is inherently agnostic about source and destinations, consistent abnormal behaviour is still detectable. |
Network Monitoring & Network Analysis | Command & Control | T1095 Non-Application Layer Protocol | Yes | Firebug works on the IP Protocol and catches all abnormal traffic above IP. |
Network Monitoring & Network Analysis | Command & Control | T1571 Non-Standard Port | Partial | Firebug can detect when standard ports are being used inappropriately, as may occur when a standard port is being used for a non-standard protocol |
Network Monitoring & Network Analysis | Command & Control | T1572 Protocol Tunnelling | Yes | Firebug can detect tunnelling in DNS, ICMP, and HTTPS. |
Network Monitoring & Network Analysis | Command & Control | T1219 Remote Access Software | Yes | Firebug has detected unauthorised uses of TeamViewer and similar, and can be used to detect such. |
Network Monitoring & Network Analysis | Command & Control | T1102 Web Service | Partial | Firebug can detect abnormal usage of web services, but cannot detect use if the ringfence regularly uses web service in similar fashion |
Network Monitoring | Lateral Movement | T1210 Exploitation of Remote Services | Yes | Firebug can detect the change in behaviour of remote services as they are compromised |
Network Monitoring | Lateral Movement | T1570 Lateral Tool Transfer | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring | Lateral Movement | T1563 Remote Session Hijacking | Yes | Firebug can detect abnormal use of sessions, even when the session has been persistent for some time |
Network Monitoring | Lateral Movement | T1021 Remote Services | Yes | Firebug can detect the change in behaviour of remote services as they are used abnormally |
Network Monitoring | Lateral Movement | T1072 Software Deployment Tools | Yes | Firebug can detect the change in behaviour of remote services as they are used abnormally |
Network Monitoring | Lateral Movement | T1080 Taint Shared Content | Partial | Firebug can detect abnomal behaviour, so if the shared content now behaves differently Firebug can detect the change. |
Network Monitoring | Impact | T1498 Network DoS | Yes | Firebug can detect volumetric DoS and DDoS attacks. |
Network Monitoring & Network Analysis | Collection | T1557 Adversary in the Middle | Yes | Firebug can detect when attackers are impersonating services like SMB to perform AitM attacks. |
Network Monitoring & Network Analysis | Collection | T1119 Automated Collection | Partial | Bulk data replication over networks is detectable by Firebug |
Network Monitoring & Network Analysis | Collection | T1039 Data from Network Shared Drive | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring | Defense Evasion | T1197 BITS Jobs | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring | Defense Evasion | T1562.004 Disable or Modify System Firewall | Yes | Firebug can detect violations of firewall policy due to abnormality of non-policy behaviour |
Network Monitoring | Defense Evasion | T1562.007 Disable or Modify Cloud Firewall | Yes | Firebug can detect violations of firewall policy due to abnormality of non-policy behaviour |
Network Monitoring | Defense Evasion | T1599 Network Boundary Bridging | Yes | Firebug can detect violations of firewall policy due to abnormality of non-policy behaviour |
Network Monitoring | Defense Evasion | T1027.006 HTML Smuggling | Partial | Firebug can detect abnormal usage of HTTP/S |
Network Monitoring | Defense Evasion | T1542.005 TFTP Boot | Partial | Firebug can detect abnormal file transfers. |
Network Monitoring | Defense Evasion | T1207 Rogue Domain Controller | Yes | Firebug can detect abnormal SMB/LDAP actors, and new |
Network Monitoring & Network Analysis | Exfiltration | T1020 Automated Exfiltration | Partial | Bulk data replication over networks is detectable by Firebug |
Network Monitoring & Network Analysis | Exfiltration | T1048 Exfiltration over Alternative Protocol | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring & Network Analysis | Exfiltration | T1041 Exfiltration over C2 Channel | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring & Network Analysis | Exfiltration | T1567 Exfiltration over Web Service | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring & Network Analysis | Exfiltration | T1029 Scheduled Transfer | Yes | Firebug can detect abnormal file transfers. |
Network Monitoring & Network Analysis | Exfiltration | 1537 Transfer Data to Cloud Account | Yes | Firebug can detect abnormal file transfers. |
How to deploy firebug
Firebug is flexible & interoperable. It can be deployed as a virtual instance on any server with standard specification that can provide an ingest of network traffic and is positioned near strategic network assets (eg. DMZ, Public WiFi, Data Centre). Each instance can give visibility of up to 1 Gb/s which can cover approximately 500 Endpoints on a typical network.
Virtual Instance
on standard server
Network Traffic Ingest
via Span Port or Port Mirror
Strategic Location
near key network assets eg. DMZ, Public WiFi, Data Centre.
Up to 1 Gb/s of Traffic
per instance which equates to approx 500 endpoints