Remote Terminal Session Detection
Definition
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
How it works
An external attacker takes remote control of a host inside a company or organization's network and manually directs offensive techniques. Nonstandard terminal sessions and abnormal behaviors are analyzed in this technique. Abnormal behavior detection includes analysis of user input patterns in the real-time session, keyboard output and packet inspection.
Network Traffic Inspection
Network traffic from internal hosts is the main concern and focus for the traffic inspection. The network traffic is collected into inspection groups. The groups of traffic are assembled into distinct pair flows (outbound/inbound) and the pair flows are further divided into sessions. Only sessions originated inside of the network are considered for the inspection. Traffic inspection includes analysis to determine if a human is involved in the session exchanges. Time-based statistics are captured for each session being analyzed by the detection engine.
Algorithm Analysis Description
Analysis algorithms look for patterns in the network traffic captured from the session data. A detection engine groups the session traffic data, between the hosts, into rapid exchange instances. Analysis of rapid exchange traffic patterns can lead to the discovery of abnormal behavior which is indicative of a compromised internal host. The analysis algorithms look for patterns in the traffic which correlate to known activity (e.g., relay attacks, bot activity, bitcoin mining). Some metrics used during inspection include the following.
- Number of rapid-exchange instances
- Time interval between packets
- Fixed cadence of traffic
- Rhythm and direction of the initiation of instances
- Volume of data flowing from internal to external controlling host
- Data transfer characteristics
- Variability in length of silent periods
Considerations
- Full packet capture is required which can be process intensive to analyze
- Attackers that move low and slow may blend in with existing traffic resulting in false negatives
References
The following references were used to develop the Remote Terminal Session Detection knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method and system for detecting external control of compromised hosts
MITRE Comments
This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host.