Is There A Beacon on My Network?

By Lee Gitzes ·

While many IT security professionals focus on protecting the perimeter with advanced IDS/IPS systems, next generation firewalls and DLP, there are ever increasing threats leveraging covert communication techniques. Furthermore, they are exploiting enterprise networks from the inside out.

Many modern malware and attack techniques utilize common communication protocols such as SMB, DNS and HTTP. One increasingly common form of this attack is called a beacon, and it hides in plain sight on the network. A beacon uses typical traffic that is considered normal through the network using common protocols. A system compromised with a beacon will communicate in a manner that makes sense from a traffic monitoring system perspective. This makes it inherently difficult for an administrator to easily identify malicious activity.  An example of this type of common protocol is DNS; an attacker may send beacon traffic, every week using DNS txt records. On the surface it would not be considered a red flag to see a workstation sending DNS traffic on a weekly basis. Compromised systems will often communicate tunneled over an SMB connection as well, especially if they are communicating amongst each other on the internal LAN or WAN. Not only is SMB a very common protocol with internal communication, it is a very chatty protocol making identification of the malicious traffic more unidentifiable. Once a machine is compromised, the attacker may take control of the infected machine, perform screen scrapes and inject key loggers, all using the same common protocols.

This threat also allows the attacker to do what is known as a pivot. This capability means that the protocol and/or the system(s) generating the traffic may be changed on demand. Suspicious traffic being generated to and from a single system is one thing, but having the traffic jump from one infected machine to the next, in real time, is another. If an enterprise network has multiple machines compromised, stopping the threat can and will be like finding a needle in a haystack.

This type of attack is downright terrifying to network administrators. Especially those that have traditional network monitoring tools and layer 4 (port based) perimeter security. The good news is that many organizations that have deployed next generation firewalls and if deployed them properly will provide the visibility to inspect and see the contents of the traffic up through layer 7. Therefore, even as the data is travelling over DNS; it could be identified a next generation firewall or IDS/IPS.

Unfortunately, today’s enterprise workers work outside the firewall as often or more than they work behind it. Fortifying the perimeter of the network is no longer enough to ensure that internal networks are safe from compromise. End users connecting from personal internet connections may be compromised when outside the firewall, which then could bring infection in from the outside.  Even users that are connected via VPN are at risk, especially if connecting over a split tunnel.

To make matters worse, once malware such as this gets inside the trusted network, the majority of internal networks are only protected by common monitoring tools that are not looking beyond the headers of the traffic traversing the network. A beacon using SMB for communication will be virtually untraceable using these common tools, especially considering the volume of “normal” SMB network traffic that is already on the network.

The anatomy of a beacon based attack

Beacon Based Attack

What can be done about this?

Threats such as beacons are only the tip of the iceberg of the possibilities that exist in today’s hostile environment. The level of skill required for hackers to implement these tools is increasingly shrinking, also making the amount of instances higher. Compromising security technology is old hat, techniques such as phishing and social engineering have made it possible to compromise the weakest part to the network, human beings. The vast majority of major breaches and data theft in the last four years has started with some form of social engineering.

Safeguarding our assets must come from multiple fronts.

Trust no one security is one step towards safeguarding the network. By leveraging technologies such as Virtual Desktops, enterprises can present data and applications to users, only transporting pixels across the wire. Endpoints in a deployment such as this have no physical access in to the enterprise network.

Investing in modern security tools and software is no longer a luxury, it is a must. Many organizations have already deployed next generation firewall and IDS/IPS technology at the perimeter. However, they cannot stop there. Next generation tools that provide east/west visibility up through layer 7 are critical to quickly identifying and mitigating compromised systems. New methods and technologies for securing the endpoints such as microvisors will also prove to be worth their weight in gold, stopping malware before it has the ability to spread or even function at all.

Training is equally important. Technical staff should be deeply educated about these threats and should learn how to identify anomalies and hidden oddities in the network. End-users should also be educated about social engineering and phishing. Awareness is a powerful tool and empowering end-users with the knowledge and awareness of social engineering will reduce occurrences of successful attacks.

As with many things in the world of information technology, there is no single answer or solution to the problem. However, with the right strategy, tools and education vulnerabilities can be closed and compromises can be mitigated.