Stories from the SOC – Beaconing Activity

March 2, 2021 | Sumner Meckel

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive Summary

Beaconing analysis is one of the most effective methods for threat hunting on your network. In the world of malware, beaconing is the act of sending regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive and ready for instructions. It is often one of the first indications of a botnet malware infection, so it’s important to spot the beaconing behavior before the infected host can expose data or launch an attack.

The investigation began in response to an Alarm triggered by outgoing TCP traffic to an IP address that was flagged by the AT&T Alien Labs Open Threat Exchange (OTX) as associated with foreign advanced persistent threat (APT) activity and malware communications.  The team conduct a further review of this IP address using additional open source intelligence (OSINT) sources and verified that the destination IP address had been involved in malicious activity and was considered a high threat.  Due to the quick response time of our team in starting the Investigation, the customer was able to isolate the infected asset and perform remediation before the malware caused any further infection on their network.

Investigation

Initial Alarm Review

The initial alarm came from an Event showing TCP traffic to a known malicious IP address coming from one of the customer’s internal assets.  This IP address was correlated with malicious activity that had been found in OTX and from pulses created by AT&T Alien Labs, the threat intelligence team at AT&T Cybersecurity, monitoring active threats.  Further review of the customer’s system showed possible beaconing activity had begun recently and was actively being blocked by their Intrusion Protection System, preventing further communications with the malicious IP address.

beaconing alarm details screen

Expanded Investigation

Once this beaconing activity was discovered, the team conducted a 30-day review of the customer’s entire environment to look for signs of further intrusion.   The original IP address was then analyzed using a variety of OSINT sources to gather related IOCs and other IP addresses that would indicate further intrusion had occurred.  This review showed that no other assets had traffic involving the malicious IP address or other IOCs related to the APT, and that no other assets were exhibiting beaconing activity or lateral movement. 

beaconing analyst comments screen

Response

The customer complimented the work of the team, citing that due to the quick response and phone calls, they were able to identify and isolate the infected system before any further damage was done. This allowed them to perform a more in-depth investigation without fear of missing other underlying activity that would have been difficult to correlate on their own. The customer stated that they were very happy with the service and feel much more at ease knowing that the AT&T SOC has eyes on their network 24/7/365.  This also led the customer to upgrade their storage tier from 3TB to 6TB so we could monitor more of their environment.

Sumner Meckel

About the Author: Sumner Meckel

Senior Specialist Sumner Meckel joined MTDR as a founding member of the Austin-based SOC team in November 2019. His previous experience includes desktop and network support for sensitive government contractor sites as well as administering multiple cloud environments for healthcare organizations. When he isn't spending time with his family, Sumner can usually be found trying to learn something new or building something fun (or both!) For Sumner, the best part of working in MTDR is finding and testing OSINT sources to build custom blue-team applications.

Read more posts from Sumner Meckel ›

‹ BACK TO ALL BLOGS

Get price Free trial