There is no single tool that will protect your network from sophisticated actors. The biggest advantage in defending a network starts with staff that understand the terrain – hopefully better than the adversary. The biggest killer of an effective team can be tools that generate volumes of alerts or data that do not provide meaningful insight into what is happening on the network.

Sophisticated attackers may utilize many techniques to evade or avoid detection, and understanding how your network defense tools respond to unexpected inputs is important.
A report from Arbor Networks detailed an implant, Evilgrab/Grabber, that prepended five bytes of data before a legitimate HTTP request. We were interested in understanding how the five leading bytes would be analyzed by Bro IDS, an open source network intrusion detection system. We generated some pcap that mimicked beaconing traffic described in the report and ran it through Bro 2.4.1. Not surprisingly, Bro IDS generated a “bad_HTTP_request” event the weird log.

The weird log captures “unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor.” While technically accurate, the “bad_HTTP_request” error message is vague and can be easily overlooked but an overwhelmed staff. A more descriptive error message could mean the difference between successful detection and an ignored event.

BreakPoint Labs recently submitted a patch to Bro IDS, which was accepted, to generate a more descriptive weird event. In the Evilgrab/Grabber scenario, the legitimate HTTP request follows the five leading bytes. Our patch attempts to detect the beginning of the version string – “HTTP/” – at the end of the request method. If found, instead of generating the vanilla “bad_HTTP_request” message, we generate a more descriptive error message: “bad_HTTP_request_with_version_field”.

The additional information within the same error condition can provide the needed context to discern between unusual and exceptional. Although the patch is small, it may be the missing piece to detecting an adversary looking to evade detection.

BreakPoint Labs is in the fight to eradicate cyber pathogens through more descriptive error messages.