Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hunting in the Dark: Metrics for Early Stage Traffic Discovery

Max Gao, Michael Collins, Ricky Mok, kc Claffy

TL;DR

This work addresses the challenge of early-stage traffic discovery in threat hunting by formalizing a discoverability metric to evaluate how effectively lightweight network-traffic metrics surface unknown malware phenomena over time. Using Crackonosh as a case study, the authors compare address-based and entropy-based detection metrics across darkspaces of varying sizes, demonstrating that packet-size entropy consistently detects the malware, while address-based metrics lose efficacy as the population declines. The study also shows that larger darkspaces accelerate detection and reveal emergent behaviors, such as per-host probing rates, but remediation and IPv4 scarcity impose limits on detection strategies. The findings offer operational guidance for defenders: employ a mix of metrics and larger data horizons to improve early discovery and account for population dynamics and data-collection constraints.

Abstract

Threat hunting is an operational security process where an expert analyzes traffic, applying knowledge and lightweight tools on unlabeled data in order to identify and classify previously unknown phenomena. In this paper, we examine threat hunting metrics and practice by studying the detection of Crackonosh, a cryptojacking malware package, has on various metrics for identifying its behavior. Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.

Hunting in the Dark: Metrics for Early Stage Traffic Discovery

TL;DR

This work addresses the challenge of early-stage traffic discovery in threat hunting by formalizing a discoverability metric to evaluate how effectively lightweight network-traffic metrics surface unknown malware phenomena over time. Using Crackonosh as a case study, the authors compare address-based and entropy-based detection metrics across darkspaces of varying sizes, demonstrating that packet-size entropy consistently detects the malware, while address-based metrics lose efficacy as the population declines. The study also shows that larger darkspaces accelerate detection and reveal emergent behaviors, such as per-host probing rates, but remediation and IPv4 scarcity impose limits on detection strategies. The findings offer operational guidance for defenders: employ a mix of metrics and larger data horizons to improve early discovery and account for population dynamics and data-collection constraints.

Abstract

Threat hunting is an operational security process where an expert analyzes traffic, applying knowledge and lightweight tools on unlabeled data in order to identify and classify previously unknown phenomena. In this paper, we examine threat hunting metrics and practice by studying the detection of Crackonosh, a cryptojacking malware package, has on various metrics for identifying its behavior. Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.

Paper Structure

This paper contains 16 sections, 3 equations, 8 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Data Inventory
  5. Crackonosh and Its Observable Network Behaviors
  6. Remediation's Impact on Crackonosh's Population
  7. Exploiting Emergent Behaviors
  8. Classifying and Comparing Detection Metrics
  9. Address Based Metrics: Address Count, Block Count, Spread
  10. Packet Size Metrics: Entropy
  11. Results: Comparing Discoverability Over Time
  12. Results Across Address-Bassed Metrics
  13. Results For Entropy
  14. Detection Speed
  15. Discussion: Opportunity and Detection Limits
  16. ...and 1 more sections

Figures (8)

  • Figure 1: Activity for Crackonosh ports over 2022/09/13-2022/09/26 demonstrating the coordinated rise in traffic.
  • Figure 2: Crackonosh's distinctive, uniform packet size distribution (red) in contrast to distributions (blue) of those targeting 8 services listed in Tab. \ref{['t:scand']}.
  • Figure 3: Number of unique IPs and always-on IPs in our data set. We removed the days that $\mathsf{G2}$ did not have complete data. (Vertical black lines represent months of missing data.)
  • Figure 4: Kernel density function of the number of probe packets from always-on victims captured by $\mathsf{G2}$. Bimodal distribution with peaks at 1370.31 and 2508.14 packets per day. The sending rate distribution was stable across time, and close to the expected probing rate of Crackonosh.
  • Figure 5: Rank and scores of address-based metrics applied to G1's dataset across three periods. While scores are correlated, the increasing ranks show the impact of other IBR obfuscating Crackonosh's behavior as the population decreases.
  • ...and 3 more figures