Read Time: 4 min. 47 sec.
TL;DR The open source tool Moloch gives security teams more control of deployment and architecture for after-the-fact investigation when hackers try to infiltrate your network. Getting access to all of the data is key when using Moloch to ID these threats quickly.
Question: What’s more important to you than your full packet data when trying to hunt down hackers in your network or optimize traffic flow or build a network baseline?
Answer: Nothing. Nothing is more important than having the complete packet data at your fingertips. Data is the gateway to gaining deeper insights into the patterns or behaviors of network traffic – ultimately helping you ID real threats more quickly. So how do you get to the devilish detail in the data?
Moloch is one answer. Moloch is an open source, large scale, full packet capturing (FPC), indexing, and database system. For security teams that want a standalone system with meta data parsing and searching capability, Moloch is the answer. This open source tool offers more control of deployment and architecture, providing security teams with after-the-fact investigative capability not available in other open source security tool.
When it comes to threat hunting, root cause analysis and forensics, it’s important to understand the common TTP (techniques, tactics and procedures) that bad actors use and how to spot them. Certain kinds of common TTPs require that fully visible network packet traffic is available and indexed. For instance, if uncommon or custom protocols are used on common ports (like 53/UDP, 80/HTTP or 443/HTTPS) then they will likely stand out as unexpected and anomalous. This will often be enough to trigger an alert and further inspection -- like a sandbox detonation or sequester. Much more difficult is when common protocols like TLS/HTTPS are used on common ports (like 443) or when common protocols are used on uncommon ports.
In these cases, threat hunters, forensics professionals and tier 2-3 SOC analysts will likely be searching session and packet data for C2 activity flags, unusual URLS, odd domains, overly verbose HTTP/S responses (i.e. potential signals of SQL injection attacks), and User-Agent strings. Moloch’s ability to index and display this deep packet and session data helps the threat hunters. The challenge arises when this kind of indicator data is encrypted with modern forward secrecy ciphers like those that are most common in TLS 1.2 and required in TLS 1.3. Searching for C2 signals and breach indicators is nearly impossible without decrypted visibility. Users can browse PCAPs, as well as search and export relevant information. Moloch exposes APIs, which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Moloch stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, like Wireshark, as you perform workflow analysis.
The open source tool can deploy across many systems and scales to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Metadata retention is based on the Elasticsearch cluster scale. Both can be increased at any time and are under your complete control. (For more info about Moloch, visit https://molo.ch/faq#general)
Using Moloch for Security
Using its rules-based signatures, Moloch can search packets and proactively hunt for alert contexts, odd SSL certificates, unusual egress protocols, clear text passwords and more. It can even be used to enrich session data directly from Suricata and other third party platforms.
Today, however, with the vast majority of data in the cloud now encrypted, it’s becoming problematic for security analysts to see what they need to see. Moloch is a great tool you can use to augment your security infrastructure, but what if you need to see all of the data?
Making Moloch Work More Completely
When investigating a security incident, you will want to dig into the network traffic for analysis purposes.
It’s easy to analyze in deep protocols and extract information like files from HTTP flows from the TCP headers up to the data present at the application layer. But if you want to see all the packet details in clear text, you’ll need to decrypt the entire encrypted packets. To do that, you’ll need to leverage a decryption solution that is built to work in any public or private cloud environment.
Nubeva TLS Decrypt is a new, out-of-band solution that decrypts SSL/TLS traffic, enabling security and application teams to inspect and monitor their data in motion. Nubeva’s born-in-the-cloud architecture works great for TLS 1.3, Elliptic Curve Diffie-Hellman Ephemera (ECDHE), perfect forward secrecy (PFS), and pinned certificates. This allows users to promote encryption in transit practices in their cloud environment, while providing a solution to securely decrypt the mirrored traffic for additional visibility.
As part of the Nubeva Tools automated deployment, Moloch is deployed using an AWS Well-Architected Architecture. The figure below depicts the complete highly scalable Moloch architecture.
Nubeva applies a unique out-of-band decryption approach without software or hardware man-in-the-middle (MITM) components. This architecture uses a key-extraction plane independent of the encrypted traffic plane. Nubeva stores encryption keys securely in Amazon DynamoDB tables in the customer’s own AWS account.
With this solution, security analysts can see fully decrypted packets using Moloch and while maintaining total security within their cloud subscription. Moloch has many advantages in helping security teams analyze traffic. As one user expressed, “Moloch is utilized as more of a ‘We really need PCAPs’ to put a timeline together in great detail or ‘we want to confirm what we’re seeing from other tools.’ Which, by the way, it does wonderfully.”
To learn more about using Nubeva with Amazon VPC traffic mirroring to gain decrypted visibility of your network traffic, read our blog here.
Finding Badness – Using Moloch for DFIR, Andy Wick and Elysse Rinne, https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1564159465.pdf
The easy way to analyze huge amounts of PCAP data, Xavier Mertens, Sept. 28, 2017, https://isc.sans.edu/diary/The+easy+way+to+analyze+huge+amounts+of+PCAP+data/22876