Book 5: Defense Spotlight with RITA

Question 1

what is RITA

Answer 1

a sophisticated network analysis tool

Question 2

What type of threat identification is used with RITA?

Answer 2

Statistical threat identification

Question 3

Rita is primarily used for __ assessment of network activity

Answer 3

offline

Question 4

RITA reads from __ logging data for the greatest network event fideltiy with results best with logging data collected ___+hours

Answer 4

Zeek

24

Question 5

What are zeek logs?

Answer 5

the logs RITA uses to read from to create analysis reports

Question 6

What is RITA?

Answer 6

solution to idetnify attacker C2 using statistical anomaly analysis.

Question 7

Rita does not rely on packet payload inspection to identify threats like ___ platforms

Answer 7

IDS

Question 8

RIta looks for signs of ___ activity that correspond to patterns employed by attacker __ tools. both known and unknown

Answer 8

network

C2

Question 9

RITA does not perform live network monitoring

Answer 9

true

Question 10

RITA performs offline network monitoring

Answer 10

true

Question 11

RITA is an effective threat hunting tool to aid analysts in identifying and reacting to compromises within the network.

Answer 11

true.

Question 12

What are some common behaviors of C2s?

Answer 12

• Long connection duration between C2 and victim endpoint
• Lots of consistent data sizes in packers for heartbeat checking
• Consistent packet intervals (C2 sleep timers)
  -Consistent packet intervals within Jitter metric (skew)
  session size total packer or byte count consistency

Question 13

RITA does not identify specific C2 frameworks

Answer 13

true

Question 14

Where does RITA store its parsed zeek logs?

Answer 14

Mongodb

Question 15

What are the steps to get results from RITA?

Answer 15

prereq: have a mongo database
1. start the mongo database
2. create a directory that will hold the parsed zeek logs
3. start zeek and read from a packet capture file pcap
4. the parsed zeek made from the pcap will import them into my current directory to my database.
4. generate an html report

Question 16

What kind of reports are made with RITA?

Answer 16

beacons
strobes
dns
blacklist source IPs, Destination IPs, Hostnames
Long Connections
User Agents

Question 17

How would you import logs from Zeek?

Answer 17

prereq: already ran Zeek against pcap

$ rita import /path/to/zeel/logs DB_Name

Question 18

How would you show RITA analysis in Human readible format?

Answer 18

$ rita show-beacons DB_Name -H

Question 19

How would you save output in a CSV format?

Answer 19

$ rita show-beacons DB_Name > DB_Name.csv

Question 20

-H option in RITA?

Answer 20

display results in a human readable format.

Question 21

Can you perform beacon analysis with rita?

Answer 21

yes, beacons are one of the functionalities that RITA analyzes

Question 22

What is beaconing?

Answer 22

characteristic of a C2 framework where a comrpomised system reaches out to the controlling server with a periodic frequency

Question 23

beaconing is a characteristic of __ framework

Answer 23

C2

Question 24

How does RITA characterize beacons?

Answer 24

Score based. a source IP Value 1 or slighly less than 1 indicates beacons.
Value slightly less than 1 is because simple network delay, dropped packets, remains strong indicator of a compromised node in the netwrok.

Question 25

How does RITA characterize long connections?

Answer 25

$ rita show-long-connections -H mynetwork | head -15

Question 26

What columns does long connections show?

Answer 26

1. source IP,
2. Destination IP
3. DSTPORT:Protocol:SERVICE
4. Duration

Question 27

How does RITA characterize DNS analysis?

Answer 27

$ rita show-exploded-dns mynetwrok | head - 15

Question 28

What columns does DNS analysis show you in RITA?

Answer 28

3 columns

1. Query domain from the internal host
2. Number of unique subdomains associated with the host
3. number of times the internal system queried the total number of subdomains.

Question 29

The number of subdomains for a given queried domain from the internal host should be a small number?

Answer 29

true

Question 30

What does it mean if a domain has many unique subdomains?

Answer 30

ex: 7,882 subdomains for example.com - very strong indicator of a compromise in the network

Question 31

How would DNS tunneling with DNSCat2 set off an indicator within DNS analysis in RITA?

Answer 31

DNS caching, DNSCat2 will generate many unique subdomains for the C2 channel which is a STRONG indicator of compromise in the network.

Question 32

Can RITA be used to give insight in the network of activity that could represent compromised system?

Answer 32

yes

Question 33

RITA is a starting point

Answer 33

yes

Question 34

How would you add whitelisted or blacklisted IP addresses in RITA

Answer 34

edit the config.yaml

Question 35

Consider taking local packet captures on endpint systems

Answer 35

yes