Wrapping Up the Rule Your Network Hackathon Challenge
Over the summer, LogRhythm hosted our first-ever public NetMon Hackathon on DevPost. The Rule Your Network Challenge offered large cash prizes for entries into each of the following categories:
- Novel Threat Detection
- Best Security Hunting Dashboard or Use Case
- Best IT Operations Use Case
We asked the entrants to create DPA rules or custom dashboards to solve interesting problems in the network threat and behavioral analysis and network forensics worlds.
We received many outstanding entries, and we filtered out the best of the bunch. View the winners on the contest DevPost page.
Highlights of the Contest Submissions
From the submissions, we can see there are a lot of creative NetMon Freemium users out there! Here are some of the highlights from a few of our favorite submissions.
Novel Threat Detection
Our favorite entry in the Novel Threat Detection category explored the JA3 algorithm for fingerprinting SSL sessions and adapted it into a DPA rule. The JA3 algorithm uses the unencrypted metadata associated with establishing SSL/TLS communication to create a unique hash-based fingerprint.
JA3 is highly specific. It can be used to create whitelists for known safe secure traffic and blacklists for “known unsafe” SSL/TLS traffic. Using a rule based on JA3, the author applied a blacklist fingerprint for the Metasploit Meterpreter reverse shell.
This entry caught our interest given its technical complexity (it requires a packet rule for packet payload analysis at the byte level) and a really cool passive detection method for capturing pen testers (and bad actors). Our very own Greg Foss set up this rule and “caught himself” as he was testing Metasploit modules against internal systems.
Best Security Hunting Dashboard or Use Case
Several of the best entries in the Best Security Hunting Dashboard or Use Case category pursued abnormal or malicious DNS. We’ve seen DNS abuse on a regular basis as part of many “in the wild” incidents.
DNS can be used for command and control, as shown in the OilRig attack earlier this year. Another recent piece of malware, DNSMessenger, used the DNS TXT record to receive payloads and instructions. Because DNS is a fundamental protocol necessary for normal operations, hunting in DNS traffic is a critical part of a strong security posture.
We received several entries about DNS analysis, including rules and dashboards looking at:
- Determining the overall length of the DNS query; long queries are unusual.
- Top and bottom DNS destinations. New or unusual entries may be indicative of abnormal DNS activity.
- Top and bottom DNS sources, particularly those filtered for internal IP ranges.
These searches help identify abnormal DNS activity, making it easier to narrow down your hunting.
We also received an entry that went further into DNS by building a baseline of DNS queries over time, leading to a dashboard highlighting new domains. Further advanced DPA work led to a rule that enriches DNS data by merging in “whois” information, including when the domain was registered.
Whether using out-of-the-box functions for some targeted dashboards or enriching the data with DPA, our contestants definitely dug deep into hunting for suspicious DNS traffic!
Best IT Operations Use Case
IT operations is a broad category that can include anything from analyzing normal infrastructure to looking at Industrial Control Systems (ICS). In this category, some of our favorite entries explored the value of monitoring cryptocurrency farms.
Cryptocurrencies, such as Bitcoin, are forms of currency exchanged based on “block chain” cryptography. You can create the currency through “mining,” which requires large amounts of CPU cycles to calculate complicated algorithms. This “seed” becomes the root of the block chain and is the heart of the cryptocurrency.
The cryptocurrency entries were interesting for their novelty and timeliness. As we see an explosion of new cryptocurrencies, the art of “mining” is back in play. If you are mining new currencies, you definitely want to know your systems are working and that they are secure!
In one entry, the author made a set of dashboards to look at expected vs. abnormal traffic, creating a mixed IT operations and threat-hunting dashboard. We liked this entry for its parallels to the way you would protect an ICS or IoT environment where you don’t have deep control over the technologies or protocols.
In essence, the operations dashboard showed:
- Filters for “known good” traffic, including some aggregations on unique cryptocurrency metadata, such as wallet and transaction IDs.
- Filters for “unexpected” traffic, such as well-known protocols (e.g., HTTPs, FTP, SMB) going off the mining rigs. This type of traffic was analyzed to be either misconfiguration, possible vulnerabilities, or specific malware.
Using this type of dashboard, you can determine at a glance whether your systems are active and working. You also get an immediate view into abnormal function and suspicious traffic.
Wrapping Up the Rule Your Network Challenge
We would like to thank everyone who entered the contest, our judges, and the LogRhythm staff who made the contest happen. We hope those of you that entered (or thought about entering) learned something about LogRhythm, NetMon, or network security analysis.
View the official winners on DevPost.
We’ll also cross-post rule and dashboard content into either the LogRhythm Community or as system rules and built-in dashboards in a future release of NetMon!
If you missed out on the contest and are interested in what you can do with NetMon, don’t forget to:
- Download NetMon Freemium.
- Join the LogRhythm Community to download new rules, ask questions, or post your own ideas, rules, and dashboards.
Even though the contest is over, we’re looking forward to seeing what you can do with NetMon Freemium!