Busted by Cortex XDR: Network Traffic Analysis in Action

Mar 06, 2020
8 minutes

This post is also available in: 日本語 (Japanese)

Join us on March 17 for our “Leverage Your Firewall to Expose Attackers Hiding in Your Network” webinar to learn more about how to use Network Traffic Analysis, including a live attack demo. 

For the most accurate threat detection, enterprises should integrate good data across different sources: cloud, network and endpoint. But in a reality where companies have visibility gaps and imperfect integration, layered defenses can save the day. This article tells a customer story of a large pharmaceutical company who could easily have missed the signs of an incoming cyberattack after its endpoint agents failed. Luckily, Network Traffic Analysis (NTA) recognized a threat, even though attackers used smart tactics to fool IT’s detection strategies.

This conceptual image illustrates the concept of network traffic analysis and threat detection, showing data flowing past two analysts.

Network Traffic Analysis (NTA) is an emerging category of next-generation network detection and analytics tools that enables security teams to better detect and track attackers who move laterally through their IT infrastructure. Thanks to a combination of good network data and the development of machine learning (ML), NTA has evolved substantially over the past few years to levels that we hadn’t previously imagined. Advanced ML models can now detect sophisticated events combining various attack tactics that, in the absence of NTA, may just look like noise on the network.


A Sign of Attack

The story begins at a large pharmaceutical company that had Cortex XDR deployed using firewalls as sensors to analyze their network traffic. Cortex XDR triggered an alert about a host performing a ton of random-looking domain name queries on the network. While for many readers, there may be nothing special in the sentence prior, allow me to highlight 2 important points:

  1. Our human intuition can easily pick up random-looking domain name queries, but it’s a different story for a computer. Systematically recognizing random-looking things is extremely This screenshot shows how Cortex XDR identified malware attempting to use random domain names to communicated with its command and control server on the internet. complicated to do: the Cortex XDR team had to build several ML models just for this use case. More on that later.
  2. If you’ve ever worked in the Security Operations Center (SOC) at an enterprise, you’ll appreciate that Cortex XDR grouped 24 random-looking DNS query alerts into a single incident, eliminating the need for an analyst to go over them one-by-one and group them manually.

Back to the story: Cortex XDR identified that these random domain names looked suspiciously like malware trying to communicate with its “command and control” (C2) server on the internet.


What is C2? Once malware has successfully deployed, it waits for remote commands from the attacker to execute. The cybersecurity jargon for this method is “command and control” or C2. C2 traffic has to cross the company firewall to send and receive data from the C2 server: it sends “beacons” as a sign of life, downloads commands from the attacker and exfiltrates data. Over the years, attackers have evolved their tactics to make C2 more sophisticated. They may use social media sites as C2 infrastructure, and they build more autonomous malware in case organizations attempt to isolate it from the internet. 

The Endpoint Agent Misses the Threat

The host was running one of our competitors' agents on the endpoint -- an agent that failed to detect the malware. Boom! If this customer relied solely on their endpoint protection, this malware would have gone undetected. This is a classic example of why layered defense (also known as “defense in depth”) is so important. With sophisticated threat agents constantly working to find ways around your defenses, some are bound to succeed. You may never even realize that an attacker is in your system if you rely on just a single layer of defense.

Luckily, this company had Cortex XDR to monitor network traffic, providing the organization with a second layer of security that made it possible to successfully detect and mitigate the threat.

How Do Attackers Control Their Malware?

When malware deploys, the instances attempt to establish a connection with their C2 server over the internet to get commands and transfer stolen data to the attacker. Some malware is built to fly under the radar by using domain names consisting of random characters, changed frequently to maintain C2 communication in the face of simple domain blocking rules. This technique also makes IT security teams’ lives hard by making it nearly impossible for them to manually block domain names at a fast enough rate.

Cortex XDR Catches Domain Name Generation Behavior

To pass IT Security, these domain names have to be unique, never-before used and certainly never-before blocked. To implement this, attackers build an algorithm that comes up with random domain names (we call this method “domain name generation,” or DGA), and they register these new random-looking public domain names one by one as the attacked organization blocks them manually.

Because the malware comes up with a huge number of domain name variations and the attacker only registers them one by one, the network log will show many failed DNS lookups, attempting to resolve weird, random-looking domain names. This is the main signal that the analytics engine in Cortex XDR uses to catch C2 behavior in network traffic.

How Does an Algorithm Recognize Random-Looking Domain Names?

Cortex XDR has several detection models specifically built for detecting malware C2 events, each model leveraging many-to-many ML models through a process called ensemble learning. This particular C2 detection model looks for random-looking domain names on the network.

Ensemble learning is the process by which multiple ML models are strategically generated and combined to solve a particular computational intelligence problem. Ensemble learning is primarily used to improve the classification and prediction performance of a model – to detect random-looking domain names in our case.

The detection model is based on an unsupervised anomaly detection algorithm called binomial cumulative distribution function (binomial CDF). This model leverages multiple features, the most important ones being the domain name randomness and the normal patterns of successful and failed domain queries from hosts in the organization. The domain name randomness feature is computed by a language model using n-grams – character strings that recur in legitimate domain names. Give this model a domain name, and it produces a score for how “weird” that domain name is.

The model also uses the organization’s DNS query patterns. Since attackers only register a small portion of the domain names the DGA generates, infected hosts will perform a lot of failed DNS queries to domain names the attackers did not register. The ML model utilized by this NTA use case caught a ton of failed DNS lookup attempts and only a few successful ones. The reason why attackers don’t define the list of C2 server domain names ahead of time is that some of this malware is designed to operate over months (or years!). Over that sort of timeframe, even hundreds of pre-defined domain names wouldn’t be enough, and eventually, the malware would no longer be able to reach the C2 server. 

Anomaly Detection Is Not Enough

Anomaly detection is never enough, as it is too noisy on its own. Cortex XDR strives for precision, since every minute analysts spend triaging false positive alerts is a minute they could have otherwise spent making a positive impact on their organization’s security posture. The random-looking domain names detection model therefore leverages many other models to filter out false positives.

First, Cortex XDR only queries for new domain names (names not seen in the organization over the last 30 days). The long-term collection of metadata about hundreds of different aspects of the traffic flowing throughout the organization is therefore key.

Second, Cortex XDR leverages models that detect the local domain suffixes from DNS and DHCP and filter them out.

Third, benign sources of what may otherwise be considered “anomalous” DNS queries are then discarded. Examples of this are: another security product on the customer’s network that performs a large number of reverse DNS queries to do its job, or a harmless-but-malfunctioning piece of software on the network constantly attempting to resolve nonexistent DNS records. These shouldn’t raise an alarm that reduces the SOC team’s coffee time.

NTA + Good Data: The Foundation of Accurate Threat Detection

Network traffic analysis is a must for true defense in depth: malware may find its way to hosts without endpoint protection, but any network communication leaves a trace. Even if endpoint protection is in place, we come across cases where malware bypasses it. Endpoint agents provide important telemetry and protection, but they aren’t infallible. Traces cannot be hidden on the network: sophisticated though it may be, most malware will have to send packets on the network in order to communicate with its C2 server.

Using over 100 ML models, learning at a rate of millions of events per second in some customer deployments, Cortex XDR picks the anomalies that are worth your while.

Join our NTA webinar

To learn more about how to use Cortex XDR for NTA use cases, sign up for our March 17 webinar, “Leverage Your Firewall to Expose Attackers Hiding in Your Network.”

Read more stories in the Busted by Cortex XDR series.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.