Full Report
John Strand // Want to get started on a hunt team and discover “bad things” on your network? In this webcast, we will walk through the installation and usage of […] The post WEBCAST: RITA appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Real Intelligence Threat Analytics (RITA)
## Overview
RITA (Real Intelligence Threat Analytics) is an open-source framework developed by Black Hills Information Security (BHIS) and Offensive CounterMeasures. Its primary purpose is to ingest and analyze Bro (now Zeek) network logs to identify malicious activity, specifically focusing on payload beaconing and scanning behavior. It also cross-references network communications against known malicious IP addresses and domains.
## Technical Details
- Type: Tool (Open Source Framework)
- Platform: Designed to ingest Bro/Zeek logs (platform agnostic for ingestion, analysis environment typically Linux/utility based)
- Capabilities: Ingests Bro logs, detects malicious beaconing, analyzes scanning activity, identifies communications with known bad IPs/domains.
- First Seen: The article references a webcast from February 27, 2017, indicating its existence around or before this time.
## MITRE ATT&CK Mapping
Since RITA is a defensive/analysis tool designed to *detect* techniques, the mappings below reflect the techniques it is designed to discover:
- **Defense Evasion/Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Detecting beaconing over standard protocols)
- **Reconnaissance**
- T1595 - Active Scanning
- T1595.001 - Internet Scan (Detecting scanning activity)
- **Command and Control**
- T1071.004 - DNS Protocol (If DNS lookups are part of beaconing/C2)
## Functionality
### Core Capabilities
- **Log Ingestion:** Reads and processes Bro/Zeek network logs.
- **Beaconing Detection:** Analyzes connection intervals to identify periodic, low-volume communications indicative of malware C2 beaconing.
- **Scanning Detection:** Identifies patterns consistent with reconnaissance scanning activity (e.g., port scans, host sweeps).
- **Threat Intelligence Cross-Referencing:** Compares communication endpoints (IP addresses and domains) against threat intelligence feeds to check for known bad actors.
### Advanced Features
- **Mathematical Analysis:** Utilizes various mathematical methods for analysis, including:
- Connection intervals
- Data sizes
- Connection times
## Indicators of Compromise
*Indicators of Compromise (IOCs) are not explicitly listed in the text, as RITA is a tool that *generates* indicators based on input logs.*
- File Hashes: N/A (Tool/Framework)
- File Names: N/A (Tool/Framework)
- Registry Keys: N/A
- Network Indicators: Outputs systems communicating with known bad IP addresses or domains (these IPs/domains would be defanged upon output).
- Behavioral Indicators: Beaconing patterns, connection patterns indicative of scanning.
## Associated Threat Actors
The article does not associate RITA with specific threat actors, as it is presented as a general-purpose, open-source network analysis tool used by defenders/hunt teams.
## Detection Methods
RITA itself is a detection method, leveraging network data:
- Signature-based detection: Not applicable; RITA is behavior/statistical analysis based.
- Behavioral detection: **Primary method** – detecting anomalous connection intervals, data sizes, and communication destinations.
- YARA rules: Not mentioned.
## Mitigation Strategies
As RITA is a detection tool, mitigations focus on improving the underlying network visibility and configuration:
- Ensuring Bro/Zeek logging is configured correctly.
- Ensuring logs are collected from an egress pre-NAT point to capture internal RFC 1918 IP addresses communicating externally.
- Employing threat intelligence feeds for C2 context.
## Related Tools/Techniques
- **Data Source:** Bro/Zeek Logs
- **Sponsor/Related Tool Disclosure:** Network Monitor Freemium (a free network monitoring tool mentioned as a sponsor tool).
- **General Concept:** Network flow analysis, threat hunting.