Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Beaconing analysis is one of the most effective methods for threat hunting on your network. In the world of malware, beaconing is the act of sending regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive and ready for instructions. It is often one of the first indications of a botnet malware infection, so it’s important to spot the beaconing behavior before the infected host can expose data or launch an attack.
The investigation began in response to an Alarm triggered by outgoing TCP traffic to an IP address that was flagged by the AT&T Alien Labs Open Threat Exchange (OTX) as associated with foreign advanced persistent threat (APT) activity and malware communications. The team conduct a further review of this IP address using additional open source intelligence (OSINT) sources and verified that the destination IP address had been involved in malicious activity and was considered a high threat. Due to the quick response time of our team in starting the Investigation, the customer was able to isolate the infected asset and perform remediation before the malware caused any further infection on their network.
Initial Alarm Review
The initial alarm came from an Event showing TCP traffic to a known malicious IP address coming from one of the customer’s internal assets. This IP address was correlated with malicious activity that had been found in OTX and from pulses created by AT&T Alien Labs, the threat intelligence team at AT&T Cybersecurity, monitoring active threats. Further review of the customer’s system showed possible beaconing activity had begun recently and was actively being blocked by their Intrusion Protection System, preventing further communications with the malicious IP address.
Once this beaconing activity was discovered, the team conducted a 30-day review of the customer’s entire environment to look for signs of further intrusion. The original IP address was then analyzed using a variety of OSINT sources to gather related IOCs and other IP addresses that would indicate further intrusion had occurred. This review showed that no other assets had traffic involving the malicious IP address or other IOCs related to the APT, and that no other assets were exhibiting beaconing activity or lateral movement.
The customer complimented the work of the team, citing that due to the quick response and phone calls, they were able to identify and isolate the infected system before any further damage was done. This allowed them to perform a more in-depth investigation without fear of missing other underlying activity that would have been difficult to correlate on their own. The customer stated that they were very happy with the service and feel much more at ease knowing that the AT&T SOC has eyes on their network 24/7/365. This also led the customer to upgrade their storage tier from 3TB to 6TB so we could monitor more of their environment.