Handling IOC Based Rules with TLS Decryption

A customer recently requested details on how Emerging Threats ensures coverage of rules which leverage TLS keywords for environments which have TLS decryption in place. This specific environment involves the TLS decryption process removing the TLS Protocol and presenting plain text HTTP to the IDS Engine.

A great question that I figured was worth sharing with everyone!

In general, Emerging Threats attempts to write signatures which provide coverage regardless if an environment has TLS decryption or not. In some cases, customers with TLS decryption capability will benefit from rules which are written specifically for HTTP traffic which has been decrypted.

In the future, Suricata Datasets will help reduce the number of rules and enable better IOC Based detection and other solutions are also being considered.

Context

In this context, focus will be placed on the scenario of inspecting outbound HTTP/TLS traffic from a user segment. As such example rules are used which look for “Outbound” user traffic going to the general Internet.

A common deployment scenario for TLS Decryption is used to inspect network traffic originating from the Internet coming into an “internet facing” environment. This is common for inspecting incoming web requests for exploitation attempt of hosted services. Rules which are designed to inspect this traffic flow will not be discussed.

It’s worth nothing that not all TLS decryption works the same. Some appliances/solutions will include TLS handshake and decrypted HTTP traffic, while others will only pass along the decrypted HTTP traffic. Understanding the traffic inspected by the IDS engine is key to understanding which rules apply and should be enabled within the IDS.

IOC Based Signatures

IOC based rules generally refers to rules which are written around a domain name. IOC based signatures are most common within the ruleset when information is provided by an external party, but there is not enough information to write a more specific signature.

Example 1: No Additional Traffic Available

As an example, consider the following tweet post from our good friend @Cyber0verload

This post contains a lists of domains that have been associated to the Gamaredon threat actor. At the time of the writing, a quick pivot on these domains did not reveal any publicly available samples which could be further examined.

In this scenario, we lack the information to write a rule based on the actual network traffic involving the domains. In an effort to still provide coverage for our customers and users, we opt to create detection of the domains themselves.

There are several different options for signatures that we can create on the domain itself, most options contains a dedicated buffer in Suricata:

  1. dns.query;
  2. tls.sni;
  3. http.host;
  4. tls.cert_subject (via the Common Name)
  5. subjectAltName (Feature #5234: SSL/TLS Sticky Buffer for subjectAltName - Suricata - Open Information Security Foundation)

It is the current standard practice of Emerging Threats to create rules for the dns.query and tls.sni.

Example 2: Decrypted Traffic Available

Next, lets consider a the post from @Suyog41 where a sample was available and we were able to create a signature for the decrypted network traffic.

In this case, using the provided sample, Emerging Threats was able to execute the malware within a sandbox environment and collect decrypted HTTP/2 communications to telegram.

As a side note, in this case, the TLS protocol is removed all together and is not observed by the IDS Engine. Only clear text HTTP/2 Traffic is presented.

As a result, the following rule was created, specific to this malware family which requires the use of TLS decryption. This dependency on TLS decryption is noted within the rule metadata via the Deployment metadata key which contains the value of SSLDecrypt.

Resulting Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KWN Clipper Checkin via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; content:"/sendMessage"; endswith; http.host; bsize:16; content:"api.telegram.org"; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"&text=FROM+UID+%3A+%0D%0A"; content:"%0D%0A+Victim+By+KWN++%0D%0ANEW+USER"; distance:0; fast_pattern; reference:url,twitter.com/suyog41/status/1645694318756220928; reference:md5,14485f6b7327d25d8a255b9feca41e7b; classtype:trojan-activity; sid:2044916; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_11; target:src_ip;)

This is great for environments which have TLS decryption. However, users which lack this capability can still be alerted to the possible abuse of Telegram via the DNS and TLS rules. In this case, due to the use of a shared service (Telegram) an IOC based signature will not be as high fidelity as the MALWARE rule, but will have a long lifetime.

2033966 - ET HUNTING Telegram API Domain in DNS Lookup
2033967 - ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

Example 3: Unencrypted Traffic Available

This example is included just to round out the available “outcomes” as it relates to TLS. This sample shared by @fr0s7_ with supplemental information from @JAMESWT_MHT had clear text HTTP traffic.

In this case, a single rule was created and can be used by all customers regardless of having TLS decryption capabilities. As a result, there was no need for an IOC based signature, as we have rule that will detect this malware regardless of the domain the c2 server is hosted on. This creates a rule which has an increased longevity compared to an IOC based signature.

Resulting Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LNK/Konni APT CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vw="; fast_pattern; content:"&nv="; distance:3; within:4; pcre:"/(?:\x2ephp\x3fvw\x3d(?:[a-z0-9]{3})\x26(?:[a-z]{2})\x3d(?:[a-z0-9]{6}))$/"; http.user_agent; content:"WindowsPowerShell/"; reference:md5,6d6433c328f6cdce4a80efce3a29ea3e; reference:url,twitter.com/fr0s7_/status/1697506531724419277; classtype:trojan-activity; sid:2047883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_09_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, confidence High, signature_severity Critical, tag Konni, tag c2, updated_at 2023_09_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)

Unique Considerations of IOC Based Signatures

Ruleset Lifecycle Considerations of IOC based Signatures

IOC based signatures have several unique considerations when writing them, the first and foremost is to consider the “longevity” of the indicator. This concept was touched on briefly as it related to the sample which used Telegram.

Some signatures, such as those for many online services which get abused by threat actors, such as Telegram, can have a fairly long life. Many of these rules are placed within the “INFO” or “POLICY” category. Others signatures, such as malware c2 domains, are often short lived.

Rule writers have to balance the longevity of the rule when creating the rules with how large the ruleset itself is and how likely the threat actor is to be using/reuse the indicator.

Time To Review

To assist with rule lifecycle, Emerging Threats internally introduced a “Time To Review” (TTR) process which applies to IOC based signatures. When creating an IOC based signature, the rule writer can prompt the rule to be reviewed in 30, 60, 90, etc days. When that TTR is expired, the rule is added to a list which rule writers then manually review and disable rules which have indicators that are no longer useful. Perhaps the indicator no longer resolves, the ownership of the domain has changed, the registar has placed the domain in a clientHold status, or the malware has moved to different c2, etc.

Along with this change, the “reviewed_at” metadata field was created. This field allows users to see when the rules reviewed by Emerging Threats staff as part of the TTR process or for any other reason.

Ruleset “Bloat”

Another considerations specific to IOC based signatures is the impact of creating a large amount of rules has on the IDS engines, the management and lifecycle of the rules and the general “bloat” of the ruleset. Every rule loaded into the engine creates overhead and impacts the performance of the engine.

If each IOC had every form of the rule created, there would be five different rules created for each IOC domain. When hundreds of domains are considered every week, the sheer amount of rules created would become unmanageable not only for ruleset users but also ruleset writers and the performance impact of loading so many rules into an IDS engine must be considered.

This is the major reason why only dns.query and tls.sni keyword based rules are created today. The inclusion of tls.sni rules was a recent change to the standard practice and was driven by customer request.

Limitations of DNS and TLS Signatures

It would be an injustice to discuss DNS and TLS signatures without discussing the serious limitations of them.

DNS: Sensor Placement

Depending on sensor “placement”, rules using the dns.query keyword can often alert on an recursive DNS resolvers making an DNS query on behalf of a user. This is very common in environments where sensors are placed at a network perimeter and internal hosts are not permitted to directly use external DNS servers.

This type of network environment and sensor placement results in increased analyst time correlating the request or not being able to identify the true requesting client at all. This was the driving factor behind including tls.sni based rules when creating dns.query rules. TLS traffic is less likely to be routed through a proxy server and thus has a higher likely of alerts containing the original requestor ip address. In cases where proxy servers are in use, special consideration must be taken to sensor placement.

Ideally sensor “placement” could be modified to see the original request directly from the requesting host or logging can be enabled on the recursive DNS server to assist in correlating an alert.

DNS: DoH/DoT

Recently there has been an increase in the adoption of RFC 8484 - DNS Queries over HTTPS (DoH)) and RFC 7858 - Specification for DNS over Transport Layer Security (TLS) (DoT). These protocols increase the privacy of internet users, but do impact the ability for IDS sensors to inspect DNS queries.

In the case of DNS over HTTPS, even when these streams are decrypted, the queries contained within are not parsed as standard DNS queries. There is currently a feature request to support this within Suricata

TLS: TLSv1.3 and eSNI

Similar to DoH/DoT there have been changes with the TLS protocols which increase the privacy of internet users but impact the ability for IDS sensors to inspect TLS traffic.

TLSv1.3 introduced changes which encrypt the server certificate details. This removes the effectiveness of rules using the tls.subject_cert and many other certificated based tls keywords. The other change is the adoption of a TLS Extension for Encrypted Server Name Identification. This extension enables the “Server Name Identification” field to be encrypted in the TLS handshake and removes the effectiveness of the tls.sni keyword.

TLS Protocol Inspection

There is one other type of rule that uses TLS information not yet mentioned. Rules which provide detection of vulnerabilities within the TLS protocol themselves. The most well known example of this might be “HeartBleed”. In order to detect HeartBleed at the network level, the TLS exchange and other TLS protocol details must be observed by the engine. If a TLS decryption service/appliance is removing all the TLS protocol information, rules designed to inspect them will not be useful.

Long Term Solutions for IOC Based Signatures:

Datasets

Suricata 6.0 provides formal support for “Datasets”. There is a great presentation explaining the feature on Youtube: https://www.youtube.com/watch?v=dUUPwgHkuvo

As the Suricata 7.0 ruleset approaches release, it allows a unique oppurtunity to adopt move away from the typical 2+ rule format (DNS, TLS SNI, along with HTTP Host, TLS Cert, altDNSNames) that we provide today and instead start distributing our IOC based rules via datasets. This will allow one rule for each rule type per dataset to be written. As an example might have one dataset called “External IP Lookup Services”, and 3 (or more) rules which use that dataset looking for the IOCs within the DNS, TLS SNI, and HTTP Host buffers. This not only provides a good way of managing several list, but reduces ruleset “bloat” and enables our customers to select which datasets are of interest to their environment.

While Datasets are specific to Suricata, we will continue to support IOC based rules for Snort and supported versions of Suricata which do not support Dataset.

“Downstream” Inspection

Another possible solution is to remove the handling of IOCs from the IDS engine all together and instead use the same data in another system which processes the output of DNS, TLS, HTTP logging. Currently, this would rely upon the user to create this logic based on either Proofpoint’s Domain Reputation lists or by extracting the IOC from IOC based rules.

Build Your Own Ruleset

In an ideal scenario, a solution could be designed that allows for users to select an output format for IOC based rules. If the user wants rules which leverage http.host only, then by adding a new and unique url to their ruleset manager, a rules file which contains all the IOC based rules formatted to inspect traffic using the http.host keyword.

This could be expanded to include tag filtering. As an example, if the user only wants MALWARE CnC domains, and domains listed in the “Living Off Trusted Sites Project” and output in formats which utilize the dns.query, http.host and tls.sni keywords, that’s what they get.

Even non-IDS engine formats could supported such as json, xml, datasets, etc.

This would represent a drastic change in how rules are produced within the Emerging Threats ruleset today, but is being considered.

5 Likes