Book 5: Defense Spotlight with RITA Flashcards
what is RITA
a sophisticated network analysis tool
What type of threat identification is used with RITA?
Statistical threat identification
Rita is primarily used for __ assessment of network activity
offline
RITA reads from __ logging data for the greatest network event fideltiy with results best with logging data collected ___+hours
Zeek
24
What are zeek logs?
the logs RITA uses to read from to create analysis reports
What is RITA?
solution to idetnify attacker C2 using statistical anomaly analysis.
Rita does not rely on packet payload inspection to identify threats like ___ platforms
IDS
RIta looks for signs of ___ activity that correspond to patterns employed by attacker __ tools. both known and unknown
network
C2
RITA does not perform live network monitoring
true
RITA performs offline network monitoring
true
RITA is an effective threat hunting tool to aid analysts in identifying and reacting to compromises within the network.
true.
What are some common behaviors of C2s?
- Long connection duration between C2 and victim endpoint
- Lots of consistent data sizes in packers for heartbeat checking
- Consistent packet intervals (C2 sleep timers)
-Consistent packet intervals within Jitter metric (skew)
session size total packer or byte count consistency
RITA does not identify specific C2 frameworks
true
Where does RITA store its parsed zeek logs?
Mongodb
What are the steps to get results from RITA?
prereq: have a mongo database
1. start the mongo database
2. create a directory that will hold the parsed zeek logs
3. start zeek and read from a packet capture file pcap
4. the parsed zeek made from the pcap will import them into my current directory to my database.
4. generate an html report
What kind of reports are made with RITA?
beacons strobes dns blacklist source IPs, Destination IPs, Hostnames Long Connections User Agents
How would you import logs from Zeek?
prereq: already ran Zeek against pcap
$ rita import /path/to/zeel/logs DB_Name
How would you show RITA analysis in Human readible format?
$ rita show-beacons DB_Name -H
How would you save output in a CSV format?
$ rita show-beacons DB_Name > DB_Name.csv
-H option in RITA?
display results in a human readable format.
Can you perform beacon analysis with rita?
yes, beacons are one of the functionalities that RITA analyzes
What is beaconing?
characteristic of a C2 framework where a comrpomised system reaches out to the controlling server with a periodic frequency
beaconing is a characteristic of __ framework
C2
How does RITA characterize beacons?
Score based. a source IP Value 1 or slighly less than 1 indicates beacons.
Value slightly less than 1 is because simple network delay, dropped packets, remains strong indicator of a compromised node in the netwrok.
How does RITA characterize long connections?
$ rita show-long-connections -H mynetwork | head -15
What columns does long connections show?
- source IP,
- Destination IP
- DSTPORT:Protocol:SERVICE
- Duration
How does RITA characterize DNS analysis?
$ rita show-exploded-dns mynetwrok | head - 15
What columns does DNS analysis show you in RITA?
3 columns
- Query domain from the internal host
- Number of unique subdomains associated with the host
- number of times the internal system queried the total number of subdomains.
The number of subdomains for a given queried domain from the internal host should be a small number?
true
What does it mean if a domain has many unique subdomains?
ex: 7,882 subdomains for example.com - very strong indicator of a compromise in the network
How would DNS tunneling with DNSCat2 set off an indicator within DNS analysis in RITA?
DNS caching, DNSCat2 will generate many unique subdomains for the C2 channel which is a STRONG indicator of compromise in the network.
Can RITA be used to give insight in the network of activity that could represent compromised system?
yes
RITA is a starting point
yes
How would you add whitelisted or blacklisted IP addresses in RITA
edit the config.yaml
Consider taking local packet captures on endpint systems
yes
