DOE Lab Releases Open-Source Attack Intelligence Tool

  /     /     /  
Publicated : 22/11/2024   Category : security

DOE Lab Releases Open-Source Attack Intelligence Tool


Pacific Northwest National Laboratory offers up, continues to build out a tool that drills down into the processes and apps employed by the bad guys


The U.S. Department of Energys Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.
The so-called Hone tool is basically a host-based sensor that automatically pinpoints which applications or processes infected machines and an external network they are using to communicate. So it could help determine the specific app used between a bot and its command-and-control, or between an infected machine and the attacker trying to siphon information or intellectual property.
PNNL, which was the victim of consecutive targeted attacks last summer, is test-running Hone along with its homegrown visualization technology. The open-source Hone code is available to the public, and its creator, Glenn Fink, hopes the community will then share any extensions to the tool as well in the public domain. Its currently available for Linux, and the lab is also working on Windows 7 and Mac OS X versions, too.
When a user unknowingly picks up spyware and is unaware of the background communication from his now-infected machine to the attacker, Hone would detect the traffic and isolate it to, say, the type of browser. Hone can find this new process talking to the network. And even if it only talks to the network once a month, you still have a record of it, Fink says.
Today, correlating unusual communications trends between computers and outside the network can be a laborious process, and its often difficult to discern which application is communicating. Malicious apps duck in and out, too, so its difficult to track them.
Fink, who first developed the tool as a graduate student at Virginia Tech University, says Hone is akin to a scalpel, while existing tools of the like are akin to a chainsaw. It provides a new source of data, he says, and could let an organization under attack ultimately control traffic on a packet-by-packet basis. It would drill down to the application process and identify whether it was Internet Explorer or iTunes that was being used by the attacker, for example, he says.
Such a tool just might have come in handy for PNNL on the Friday of last years July Fourth weekend,
when the lab discovered it had been hit by a sophisticated targeted attack
. The attackers used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash exploit. PNNL, a research and development facility operated under contract to the Department of Energy, had to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access, as well as block internal traffic while investigating and mitigating the attack. The lab said no classified or sensitive information was taken.
In an interview with
Dark Reading
in the aftermath of the attack, Jerry Johnson, chief information officer for PNNL, said the attackers at first infiltrated some of PNNLs public-facing Web servers that contained publicly available information. The attackers exploited a bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims machines. A second-wave attack originating from another laboratory was more serious: The attackers were able to gain privileged credentials to gain access to a more sensitive side of PNNLs network.
If available at the time, Hone could have been useful as a way to spot malicious app behavior or malicious apps. This tool probably would have helped in that situation, PNNLs Fink notes.
The catch with Hone is that it must be built into the OS kernel, something that could deter its wider adoption, notes Richard Bejtlich, chief security officer with Mandiant. I dont see that happening for many organizations, he says.
Mandiants Bejtlich notes that there are similar capabilities already in the OS, such as Windows Event Tracing.
But PNNLs Fink says these built-in functions, such as Windows Event Tracing and dTrace in Linux and Mac OS X, are much cruder and inefficient for gathering this type of intelligence. They could be used in a basic manner to trace activities back to system calls, but these tools require more software to be written around them to do what Hone does, he says.
The
tool is available for download here
. Fink and his team are hoping developers will clone and improve on its features.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
DOE Lab Releases Open-Source Attack Intelligence Tool