By Troy Kent
Event #3: A Sweet Sleigh Ride
Luge and Skeleton pilots are moving at over 80 mph! That’s so fast that sometimes it’s difficult to tell the difference between the two. Imagine that there was a villain that had infiltrated the Winter Olympics and was masquerading as a luge pilot. He’s up to some pretty malicious stuff, but the only chance we have to identify him is while he’s zooming down the track at ludicrous speeds. We must find out where he’s going. Luckily, he mistakenly grabbed a skeleton toboggan by accident, so he should look a bit different. But how can we tell the difference while everyone’s moving so fast? Anyway, I’ll be watching the event from my suite. Good luck with your third challenge!
I painted a pretty weird picture here, but I promise there is a method to the madness. There were three hints hidden in the narrative.
- We need to find where this villain is going
- He’s going to look a bit different
- I’ll be watching from my suite.
The intent of including the first two hints was to make it evident that the flag would be some kind of destination—and that in order to find said destination, you would need to find the traffic that was different than the rest in some manner. The intent of the third hint was an on-the-nose reference to what the different thing would be.
The first thing you may notice is how large the PCAP is (5.1MB). Not that it’s a huge amount of traffic in general, but it’s certainly a lot to reasonably sift through. If we look at the protocol breakdown, we can see that the majority is TLS traffic. That makes sense given clue number three.
There are a couple of directions you could go from here, one of which would show you the answer straight away. However, let’s pretend that I don’t already know the solution…
Based on the clues, we know that (1) we need to find a destination, (2) TLS cipher suites have something to do with it and (3) something different will help us find it. I suppose we could start by looking at all the destinations and seeing if anything sticks out to us as different (although that does ignore the bit about cipher suites).
The only two things I can think of that could be considered a ‘destination’ in TLS traffic would be either IPs or domains.
Do you see the answer yet? I doubt it—I’m fairly happy with how well this particular domain fits in. Why don’t we take a look at the cipher suites used for the TLS traffic?
We could dump all the lists of cipher suites used by the TLS traffic to compare them, but there’s a much easier way to see what traffic has something different about the cipher suites. We can just add the cipher suites’ length field as a column, and sort by it.
Doing that, you’ll see that there are only two lengths in the entire file.
Well look at that—all the TLS traffic with a different length of cipher suites have the same exact destination (see why I said I was happy about how hidden the domain is?).
The reason the length of available cipher suites is different is because the applications generating the traffic is different. All the traffic where the cipher suites had a length of 30 was generated by me, using the Firefox browser to visit websites randomly as they popped into my head. The traffic to the destination (and solution to this challenge) was generated by Python requests. This method, and TLS fingerprinting in general, is a good way to differentiate traffic in a PCAP by different applications—for example, Python scripts vs. normal browsing traffic. In fact, we use it all the time to hunt down interesting scripting activity (file-less malware anyone?).
What if you had Awake?
In order to see the TLS traffic from Python in Awake, it is as simple as looking at the occurrence of each TLS Available Cipher Suite.
By adding any of the cipher suites that were only seen in 18 activities (<0.1% of all the cipher suites seen from this device) to the query, we can quickly locate the TLS traffic to adservestatic.com.
If you are a connoisseur of fine SSL, it’s also possible to find this activity by using Awake’s QueryIQ language to specifically search for the available cipher suites known to be seen in Python requests from a Linux OS. In fact, we update our library of identified application and OS combinations as we discover them. For example:
It is certainly an obnoxious query to type with all the cipher suites written out in their text representation (not that typing them in hex would be any better, if you have those memorized, that would be rather impressive). Do not worry! If you happen to create a query like this, you can always save it as a query definition.
Then it becomes possible to search for Python requests’ TLS traffic along with other qualifiers, without remembering the longer query. For example, if we wanted to search for that traffic but only to suspicious domains, you could easily do so. If you were wondering how we determine domains are suspicious—it is based on a whole slew of criteria including registrar and registrant information, popularity of the domain etc. Many of you will recognize though that information like this would need to normally be tracked down and assessed manually by the analyst (gross!). This is part of a capability that Awake calls DetectIQ.
You could also take that query definition and look for the threat behavior on an ongoing basis, so you would know when any Python originated TLS traffic was seen on your network. In fact this is how Awake ships a slew of detection logic to our customers.
Whenever the Watchlist is triggered, you’ll see it in the forensic timeline for the offending device as well as an alert in your SIEM.
I hope you enjoyed sliding through challenge number 3, stay tuned for more Olympics themed fun; same time, same place…but different time actually…