Remote Terminal Session Detection
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
How it works
An external attacker takes remote control of a host inside a company or organization’s network and manually directs offensive techniques. Nonstandard terminal sessions and abnormal behaviors are analyzed in this technique. Abnormal behavior detection includes analysis of user input patterns in the real-time session, keyboard output and packet inspection.
Network Traffic Inspection
Network traffic from internal hosts is the main concern and focus for the traffic inspection. The network traffic is collected into inspection groups. The groups of traffic are assembled into distinct pair flows (outbound/inbound) and the pair flows are further divided into sessions. Only sessions originated inside of the network are considered for the inspection. Traffic inspection includes analysis to determine if a human is involved in the session exchanges. Time-based statistics are captured for each session being analyzed by the detection engine.
Algorithm Analysis Description
Analysis algorithms look for patterns in the network traffic captured from the session data. A detection engine groups the session traffic data, between the hosts, into rapid exchange instances. Analyze of rapid exchange traffic patterns can lead to the discovery of abnormal behavior which is indicative of a compromised internal host. The analysis algorithms look for patterns in the traffic the correlate to known activity (e.g., relay attacks, bot activity, bit coin mining). Some metrics used during inspection include the following.
- Number of rapid-exchange instances
- Time interval between packets
- Fixed cadence of traffic
- Rhythm and direction of the initiation of instances
- Volume of data flowing from internal to external controlling host
- Data transfer characteristics
- Variability in length of silent periods
- Full packet capture is required which can be process intensive to analyze
- Attackers that move low and slow may blend in with existing traffic resulting in false negatives
CAR-2013-07-002: RDP Connection Detection
CAR-2016-04-005: Remote Desktop Logon
Method and system for detecting external control of compromised hosts
This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host.