Persistent Little IP, Aren't You?
What does it mean to say that an indicator is exhibiting persistent behavior? This is a question that Timur, Angela, and I have been asking each other for the past couple of months. In this blog post, we show you the analytics that we believe identify persistent behavior and how that identification can be used to identify potential threats as well as help with network profiling.
Defining persistent IP traffic has to start with frequency and time. We believe that an IP can be called persistent if it is seen in consecutive intervals over a duration of time. I know that definition seems a bit vague, but let's start there and work our way to more detail.
If we break traffic into groups based on consecutive-hour intervals and TCP/IP flags, then persistence has tangible analytics--that can be applied to each IP. We chose the following consecutive-hour intervals because we believe different persistence intervals can help differentiate between manual and automated activity.
- 2 hours - If an IP is seen for only 2 consecutive hours then we can say that activity is probably human driven.
- 4 hours - At this point, we start to think that the activity from this IP could be human driven, but is more likely automated.
- 8 hours - Automation is the probable driver of this activity.
- 24 hours - Automation is certainly the driver of this activity.
Having established a series of hour-interval groups, we can now look at the type of TCP/IP flags and packet sizes across all the time-series groups to classify the persistence. The idea behind this classification is that an IP that has been sending only SYN packets for the past 24 hours is not as interesting as an IP that has been transferring megabytes of data out of the network for the past 24 hours.
The three pairings that are of interest to us are: SYN-ONLY, PSH-ACK, and 50 MB. The direction of the traffic associated with each group could mean different things.
This grouping captures all failed connections.
- Inward--External IPs sending only SYN packets could be scanners or DDOS agents.
- Outward--Internal IPs sending only SYN Packets could be either a misconfigured host or beaconing to an inactive server.
This grouping captures the traffic that has sent data across the socket that was created by the three-way handshake.
- Inward--External IPs that make persistent connections to the inside could be any number of activities, most of which are benign. Seeing external IPs make connections to an internal web server is normal. Abnormal behavior would be an external IP receiving a PSH-ACK flag from an internal, nonpublic-facing Linux box over SSH.
- Outward--Internal IPs that make persistent connections to the outside, like above, are not necessarily indicative of malicious action. However, seeing an internal IP maintain a persistent connection with an external IP for a week is worth further investigation.
This grouping captures the IPs that sent at least 50 megabytes across the established socket.
- Inward--External IPs transferring at least 50 MB of data are a potential cause for concern that would warrant careful attention. The threat of data transfer only increases with the amount of time the connection is active.
- Outward--Internal IPs persistently sending data to external IPs should be investigated immediately. This type of activity is the biggest indicator of a breach.
By having all IPs fall into one of these three groups, we can "tease out" what's not only persistent but also a threat.
As I said before, seeing an external IP sending nothing but SYN packets all day, every day is not all that interesting considering it is probably just a scanner. However, seeing an internal host generating traffic that is either continuous for more than 24 hours or exists for more than 4 days in a row definitely warrants investigation.
Observing potential threats is a major focus for our work with persistence, but not the only one.
We on the Network Analysis Team believe that measuring persistent activity is another layer that can be applied to network profiling.
Persistent behavior from both internal and external IPs should be noted and closely examined to get the ground truth on any network. For example, seeing a web server active for days is normal. In a way, seeing this persistent behavior confirms the legitimacy of the web server. Angela, Timur, and I are excited about the potential of the expansion of this topic.