Threat Hunting for Mismatched Port – Application Traffic
Indicators of compromise or IOCs are evidence indicating a breach of security. IOC includes virus signature, IP address, Hash value of Malware, Malicious URL and Domains, C2 servers, etc. Documenting and monitoring of these IOCs help organizations to react proactively to overcome security breaches.
Become a certified threat hunter
Mismatch Port – Application Traffic is one of the top 15 Indicators of compromise according to security researchers which is often observed in current security breaches. Threat Hunting and Incident response team are coming up with tons of innovative and proactive measures to overcome this issues, by focusing on both external attributes via gathering and sharing Intelligence and Hunting for anomalies within the environment not detected by traditional security mitigations.
What is Mismatch Port – Application Traffic
Ports numbers vary from 0-65535, In which port 0-1023 are system ports or well-known ports, port 1024-49151 are user port or registered ports and port 49151 to 65535 are dynamic ports or private ports. If an application is using an unusual port which pretends to be a normal application port, then it indicates a sign of compromise. Therefore, this indication of compromise is said to be a Mismatch Port – Application Traffic.
This includes both inbound and outbound connections which often takes place over an open port. For instance, an infected host sending C2 communication masked as DNS request over the port 80. The requests may look like to be a normal DNS query, but upon investigating those queries, the result would show that "the traffic is going across a non-standard port."
How to detect Mismatch Port – Application Traffic
Mismatch Port - Application traffic comes under the Command and Control Phase of the Cyber Kill Chain life cycle. Attackers normally utilize common (HTTP, HTTPS, SSL/TLS or DNS) or custom protocols to build Command and Control (C2) channels over them. Enabling them with covert remote access over the target network or infrastructure.
These Custom protocols are challenging to forecast, but include procedures such as encrypting packet data with an XOR Cipher. Just like with protocols, attackers generally use common network ports or uncommon network ports for their C2 channels. Examples of standard ports are 80-TCP (HTTP), 443-TCP (SSL/ TLS), 53-UDP (DNS). Uncommon ports are difficult to predict and deviate from ports registered.
Attackers can use any of the combinations of protocols and ports which includes:
- Common Protocol + Common Port
- Common Protocol + Uncommon Port
- Custom Protocol + Common Port
- Custom Protocol + Uncommon Port
What to Hunt for?
Let us consider; an attacker is using a C2 channel that uses a custom protocol over a common network port. Here monitoring network port channels which are getting deviated from its original purpose is the key. For example, consider port 80/TCP, in this monitor the connections which are not part of the HTTP protocol and collect the artifacts which are related to the connections over the port 80 like domains, URLs, and User Agent Strings.
To identify the use of common protocols and port, it is needed to focus on the application protocol and logs generated by them such as Proxy logs, IIS logs, DNS resolution logs and HTTP, SSL, DNS, SMTP logs, etc. These artifacts may vary based upon the intensity of the hunt.
Uncover Patterns and IOCs
Consider the same port 80/TCP to identify the legitimate protocol connection on the common port. Search for all the HTTP protocol records that are available in a time span and identify the network sessions like firewall, Netflow, etc., on the common port for the same time.
Once the result is available, remove all the data which we got from the exercise. This leads to all the uncommon protocol connection on the common port. With the help of this result gather all the information like destination IP and destination port, bytes transferred, connection duration/length, etc., which are required for further investigation for a port mismatch.
Remediation
The destination IP address and destination port which are used to communicate with the C2 can be considered as IOCs. This IOCs can be added to an indicator database to expand the automated detection systems. A packet level signatures can also be created to trigger an alert when it reappears again.
References
http://www.carahsoft.com/wordpress/15-indicators-of-compromise/
https://www.isdecisions.com/key-indicators-compromise/
https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647
Become a certified threat hunter
https://attack.mitre.org/wiki/Technique/