Energy lab releases open-source tool for tracking cyberattacks
Connecting state and local government leaders
Hone, a tool being developed at the Pacific Northwest National Lab, links network traffic with an application, making it easier to find the source of an IT compromise.
Researchers at an Energy Department lab have released an open-source tool to spot the source of malicious activity inside the enterprise more quickly.
Networking tools generally grant permission to observe connections between an endpoint and the network, but these are broad permissions, and they do not link the traffic with the application or process that originated it, said Glenn Fink, a computer scientist at the Pacific Northwest National Laboratory. “Hone is more like a scalpel.”
Hone is the tool Fink invented to help pinpoint compromises. “It can trace every packet of every application and process to each socket it connects to,” he said. By tracing malicious traffic to the application that originated it, administrators can identify the source of a compromise more quickly. They can also use Hone to make more informed decisions about which connections should be allowed or disallowed.
Related stories:
The path to outsmarting advanced cyberattacks
Hack of Energy’s Pacific Northwest lab exploited zero-day vulnerability
Two weeks after breach, Energy lab back online
The information also could be used to troubleshoot application development and performance, as well as to debug and fine-tune firewall rules.
Hone watches the network activity of an endpoint and assigns an ID to every process that is opened or connection that is made so that it can be traced. This eliminates the need for an administrator to continuously monitor for an elusive pattern of traffic on the network in order to trace it back, or to manually match data in various logs to find the connection.
Fink came up with the idea for the tool in 2004 while a graduate student at Virginia Tech working on the problem of identifying attacks.
“I asked, 'Why not find out what process the packet belongs to,' ” when monitoring suspicious traffic, he said. “It was a simple question with a complex solution.”
It was complex because the TCP/IP stack does not accommodate that kind of association. The network layer looks at the routing of packets, the transport layer looks at the process, and the two do not communicate with each other.
“They were built with very crisply defined interfaces that don’t overlap or interface,” Fink said. “I’m bucking that paradigm by connecting the layers. You have to be in the kernel of the operating system. When a packet goes in, we consult the transport layer from within the network layer to find out where it is going.”
Fink came to PNNL in 2006 and began working on development of Hone in 2007. About $700,000 in R&D money has gone into the effort to date.
Hone now is in a beta testing stage and is being tweaked by users. It is available online as an open-source tool for Linux kernels 2.6.32 and later. Because the tool works within the OS kernel, it has to be customized for each operating system.
“We are currently putting the Windows 7 version through quality assurance,” Fink said. Versions for Windows XP and Mac OS X also are in the works. “We’re hoping other people will clone the project and develop tools.”
The PNNL team also is working on modifying the Wireshark open-source network analysis tool for Windows and Unix to enable visualization of the data being produced by Hone, and it hopes to commercialize this application.
Hone creates very little overhead in the client where it is working, Fink said. “It’s a disproportionate gain," he added. "I can use this data in a lot of ways.”