2.1.5. DGA detect engine

2.1.5.1. Introduction

2.1.5.1.1. For what types of threats is this engine designed?

The GCenter embeds an engine capable of detecting the technique of Domain Generating Algorithm, often used by advanced threat actors in their malware.

DGA detect:

It works on DNS (plaintext protocol) and will work even if the malware later uses ciphered protocol like HTTPS.
It can detect DGA that have never be seen before. For instance, it could have detected solarwind even if it was trained before solarwind existed.

The presence of DGA-generated domain names on a network is a strong indicator of being compromised.

Indeed, malware can use HTTP requests to automatically generated domain names to contact their command and control servers. They are also called CnC, C&C, or C2.

2.1.5.1.2. How does this particular engine detect threats?

Domain names generated by DGAs have different properties than legitimate domain names.
Conventional detection approaches such as blacklists are not relevant in the case of constantly renewed domains.
Simple entropy calculations generate a large amount of false positives.

The detection of suspicious domain is based on a pre-trained, supervised Machine Learning model.
The detection of behavior "DGA" is based on domain analysis AND behavioral analysis
DGA detect combines multiple hybrid approaches to get the best of each techniques :

A supervised machine learning algorithm to detect likely-DGA domains. The model is based on multiple models, one using deep learning (LSTM) and one using domain-specific features.
A behavior analysis based on aggregation over time

2.1.5.1.3. How does this DGA detect engine work in the GCenter?

On the GCAP, DNS answers are logged and sent to the GCenter.
A machine learning algorithm detects the domains that look like being produced by a DGA
A behavior analysis is performed to detect hosts that are associated with an unusual amount of NXDOMAIN DNS answers (=host that produce a lot of queries for domain that don’t exist)
The results from the behavior analysis and from each individual domain are combined to produce an aggregated alert.

What are real-life examples of DGA ?

Conficker:
- One of the earliest and most well-known examples of a DGA is from the Conficker worm, which infected millions of computers worldwide.
- Conficker’s DGA generated 250 domains daily, making it difficult for defenders to block the domains fast enough.
Zeus Gameover: The Zeus Gameover malware also used a DGA to generate domain names, helping it evade detection and take control of infected machines for financial theft.

How DGA works?

Algorithmic Domain Generation: the malware uses a predefined algorithm to generate a list of domain names. The algorithm may take various inputs, such as the current date and time, a seed value, or other dynamic parameters, to produce a unique set of domain names each time it runs.
Attempt to Connect: the malware will attempt to connect to the generated domains in sequence or at random until it successfully communicates with an active C2 server. The C2 server will also know the same algorithm and parameters, so it will register one or more of the generated domains in advance.
Resilience to Blocking: since a DGA can create thousands or even millions of potential domain names, it becomes challenging for cybersecurity teams to block all possible domains in advance. Even if some domains are detected and blacklisted, the DGA can quickly switch to new domains, maintaining the malware's ability to communicate with its operators.

Why an attacker would use DGA?

Evading Detection: Traditional security systems that rely on blocking specific domains or IP addresses find it difficult to keep up with the rapid generation and use of new domains.
Resilience and Redundancy: If one domain is shut down or blocked, the malware can simply use another domain generated by the algorithm.
Flexibility: Allows cybercriminals to move their C2 infrastructure quickly and easily, which makes it harder for law enforcement or security teams to disrupt their operations.

What are the different types of DGA?

Time-based DGAs: These use the current date or time as a seed to generate domains.

For example : a1b2c3d4.com, e5f6g7h8.net, ijklmnop.org, qrs8tuv9.biz, wxyz1234.inf.

Wordlist-based DGAs: These use a predefined list of words to create domain names, combining them in different ways.

For example : blueelephantapple.com, silverfoxbanana.net, quickmonkeytree.org, redcherrybunny.biz, happykoalaplanet.info

Hash-based DGAs: These use cryptographic functions like hashing to generate domains, making the domains appear more random.

For example : 4d2ffg71f65d.com, a9c4d3b6f12e.net, 7f8a9bcd0342.org, 0f9b8a7cd45e.biz, d5c6b7a8e9f0.info

Machine Learning-based DGAs: Newer types of DGAs may use machine learning models to create domains that are hard to distinguish from legitimate domains.

For example : secureloginservice.com, mailverifytool.net, updateauthenticator.org, dataexchangeserver.biz, clientaccessmanager.info

A list of exceptions can be set up to force the engine to declare domain names as healthy (Ignore list).

It removes alerts related to recurring false positives.

2.1.5.2. Events generated

These are displayed:

In the main interface named WEB UI of the GCenter in the `Alerts` screen.

The main interface named WEB UI is described in Overview of the WEB UI.
- To view the alerts, select the `DGA` engine filter.
  
  See the presentation of the Web UI `Alerts`.
- Click on the selected alert.
  
  The `Alert details` window is displayed.
  
  The detailed information of this alert is displayed (see Example of a DGA detect alert in the WebUI).
In the interface named Kibana UI
- In the main interface WEB UI, to view the alerts, select the `DGA` engine filter.
  
  See the presentation of the Web UI `Alerts`.
  
  The screen displays only the list of DGA alerts.
- After selected the alert, click on the `Open DGA activity` command of the `Actions` menu.
  
  Kibana interface is opened in the `Overview` tab, the `DGA` category of the `Alerts ` section.
  
  The database is filtered on the `source.ip:` parameter which sends the DGA request.
  
  The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).
  
  This page displays all alerts from this IP address detected by DGA.
- Click on the toggle icon on the left of the alert.
  
  The `Expanded document` window is displayed.
  
  The detailed information of this alert can be viewed in table or json format.

Note

If a GCap oversees several networks or if several GCaps supervise several networks, it is possible that a domain name that appears several times will generate only one alert.

2.1.5.2.1. Example of a DGA detect alert in the WebUI

The presentation of the Alert details is given in the Alert details window.

The counters are detailed in DGA detect log data structure.

2.1.5.2.2. DGA detect log data structure

The logs are composed of different parts:

The leading part
The source part defined by "_source"
The field portion defined by "_fields"

This information is displayed in the Expanded document of Kibana.

2.1.5.2.2.1. The header part of the DGA detect logs

The header section contains:

"_index": "engines_alerts-2024.12.17-000043",
"_id": "-a9H1JMBe7GX5B2fgaSz",
"_version": 1,
"_score": 0,

The detailed information is given in the table (Counters of the header part of logs).

2.1.5.2.2.2. The source part of the DGA detect logs

The source part is defined by "_source" in the logs.

Note

The data displayed on the Webui (alerts details window) is a part of the data displayed on the Extended document on the Kibana interface.
All data can be exported to a SIEM via syslog (an example of an exported alert is shown).
The detailed information is given in the tables ( Data related to detection results).

The example given here is a Kibana example.

  "event": {
    "created": "2024-12-17T11:01:15.955324+00:00",
    "dataset": "alert",
    "end": "2024-12-17T11:00:05.717000+00:00",
    "module": "dga_detect",
    "severity": 1,
    "kind": "alert",
    "category": [
      "network",
      "intrusion_detection"
    ],
    "start": "2024-12-17T10:59:59.513000+00:00",
    "id": "113dfa89-3b96-4e93-af67-e11df6446ff0"
  },
  "dga": {
    "malware_behavior_confidence": 50,
    "nx_domain_count": 29,
    "dga_ratio": 1,
    "top_DGA": [
      "tjzjyiheo.com",
      "nvtcvimt.com",
      "vmfyaxnse.com",
      "htjykhvta.com",
      "csmanuivsrlx.com",
      "sbxsgfddr.com",
      "oyttwuyshcgxxaenbit.com",
      "seklusaprnkwhvybzc.com",
      "xxcnirvbqivbucfsbliu.com",
      "jgjvgfetpammdrxwn.com"
    ],
    "dga_count": 29
  },
  "source": {
    "ip": "192.168.56.104"
  },
  "ecs": {
    "version": "8.6.0"
  },
  "destination": {
    "port": 53,
    "ip": "78.46.218.253"
  },
  "observer": {
    "log_format_version": "1.0.0",
    "hostname": "gcenter.domain.local",
    "vendor": "gatewatcher",
    "gcap": {
      "hostname": "gcap-int-129-dag.gatewatcher.com",
      "version": "2.5.4.0-rc5"
    },
    "product": "gcenter",
    "uuid": "fc1e66e3-a397-5eb4-9277-754be778f317",
    "version": "2.5.3.103"
  },
  "@version": "1",
  "@timestamp": "2024-12-17T11:01:15.955Z",
  "network": {
    "protocol": "dns",
    "transport": "udp",
    "timestamp": "2024-12-17T11:00:05.434623+00:00",
    "flow_id": 2110172624313946
  }
},

The DGA detect engine enriches the information already provided by the Sigflow module.
Thus, for a domain not detected as a generated domain, the field `dga_probability` will be added.
A value close to 0 indicates a low probability that the domain has been generated.
Conversely, a value close to 1` indicates that there is a good chance that this domain is the result of a random generation.

2.1.5.2.2.3. List of counters of the Malcore alert

Note

The alert counters are visible:

in the Alert details screen of the WEBUI
in the Expanded document of Kibana
in the export to the SIEM

The detailed information is given in the table (Counters of the source part of logs).

2.1.5.3. Management of the engine

2.1.5.3.1. Viewing the engine status

The current engine status is displayed in the `Health checks` screen.

2.1.5.3.2. Engine update

The engine is updated with each new version of the GCenter.

2.1.5.3.3. Configure the DGA detect engine and manage the list of ignored files

The management interface enables:

To activate the engine and change its settings

Configuration implementation is given in Setting up the Dga detect engine procedure.
To manage the `Ignore list` : defines the list to explicitly filter healthy domains or IPs

For more information on the procedure, see Managing the `Ignore list` of the Dga detect engine.

The management interface is described in `DGA` screen.

2.1.5.4. Alert Analysis

The alerts are displayed on a specific screen: this screen is described in Web UI `Alerts`.
The general procedure for analyzing alerts is described in Using of NDR dashboards.
The specific procedure for analyzing DGA detect alerts is described in the file Analysing the Sigflow alerts.