Organizations may soon be able to detect in real time stealthy “beacons,” like Cobalt Strike, Silver, Empire, Mythic, and Havoc.
Varonis Threat Labs has unveiled Jitter-Trap, a clever new technique that claims to exploit attackers’ own dodgy tactics against them, detecting the randomness cybercriminals use to stay hidden.
“Leveraging the randomness (jitter) that threat actors intentionally introduce to evade detection is definitely a novel approach to detect stealthy beacon traffic used in post-exploitation and command-and-control (C2) communications during cyberattacks,” said Agnidipta Sarkar, chief evangelist at ColorTokens Inc. “However, because jitters occur later in the attack cycle, detecting post-exploitation C2 communications cannot identify the initial compromise.”
According to Varonis, these post-exploitation tools inject random delays (jitter) into their check-ins, hoping to blend in with normal traffic. This ‘natural’ randomness, however, leaves a fingerprint that Jitter-Trap can detect and flag.
