March 15

Webinar takeaway – The Ins and Outs of RITA

0  comments

My key takeaways

  • RITA is made to detect beacons and long connections
    • open source tool
  • Signature based detection of malicious code is outdated
    • Average detect time is over 6 month
    • > 50% of compromised systems are detected by outsiders
  • RITA is behaviour based
    • Needs a bunch of pakets to work on
    • min 1h, default 24h time frame
    • high secure env: 1 week
    • most commercial tools use just 20min time frames
  • Requirements are minimal
    • Ubuntu 18 max at the moment
  • Typical setup
    • Zeek to collect data
    • Rita to analyse
    • Rita installer will Zeek as well if not yet available
  • Zeek puts logs daily into /opt/zeek/logs/
  • Mini run through as demonstrated
    • mkdir rita
    • wget install.sh for Rita
    • chmod +x install.sh
    • sudo ./install.sh
    • logout / login
    • download pcap e.g from https://www.activecountermeasures.com/category/malware-of-the-day/
    • translate pcap to Zeek-log by zeek -C -r <name.pcap>
    • rita import rita import *.log <name of dataset>
    • seems like rita is hanging, it’s OK
    • rita list to show databases
    • rita show-beacons <dataset>
    • file
      • Output percent, source ip, dest ip, amount connection,...
    • the closer the percent to 1.0, the more certain that it is a persistant connection
    • rita show-strobes <dataset> is to find very short and often connection
    • rita show-long-connections <dataset>
    • rita show-exploded-dns <dataset> to see suspicous DNS traffic
    • rita show-useragents <dataset> to find uncommon often connections with a certain maybe uncommon useragents
  • Rita is configured by the file /etc/rita/config.yaml
    • rita test-config | less to show config read only

Env

additional links

User comments

  • Chodeng — heute um 19:37 Uhr
    will limiting zeek’s capture to headers only and ignoring data in the frame (for space/operational considerations), will it impact rita’s effectiveness?

    wstearns-ACM — heute um 19:39 Uhr
    Yes, this will affect Rita. Rita needs payload information to analyze dns traffic, User agents, etc.

  • is there min zeek ‘verboseness’ requirement to effectively use rita?

    • wstearns-ACM — heute um 19:40 Uhr
      You need the conn, dns, http, ssl, x509, and known_certs files at a minimum.

Tags

beacon, C2, packet capture, threathunting


You may also like

Webinar takeaway – Applying The Threat Hunter’s Runbook

Webinar takeaway – Applying The Threat Hunter’s Runbook

Webinar takeaway – Malware of the Day

Webinar takeaway – Malware of the Day
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}