RITA

A
 Lab:
What is RITA?
The RITA toolkit is intended to help approach the often overwhelming task of combing through piles of log data
looking for the following suspicious behaviors:
Beaconing
Connections that happen frequently and on similar intervals could be an indicator of malware calling home
Blacklisted IPs
Blacklisted IPs are addresses reported as being involved with malware, spamming, and other dangerous activities
Scanning
These events occur when a computer attempts to connect to a large number of ports on a system, searching for vulnerabilities
Long Durations
Connections that are beyond the length of average on a network could indicate a compromised system
Long URLs
Longer than normal URLs could potentially be used to transfer malicious data into the system
Concurrent Logins
A user being logged into a high number of systems could indicate that this user's account or original system has been
compromised
 Lab:
Starting RITA, Part I
Boot into your Virtual Machine
Open a terminal and navigate to your RITA directory (CTRL-ALT-T)

Run the application

python run.py
 Lab:
Starting RITA, Part II
(1) Open a browser and navigate to localhost:5000
to access the front end 1

(2) The first page will ask for a customer name.

Enter 'example'. (This is used as the index into
elasticsearch for log files. Therefore, it cannot be
changed.)

(3) After entering the name, press 'Let's Go!'

2 3
 Lab:
Starting RITA, Part III
It is useful to split your screen between the terminal and the browser.
This can be done by clicking and dragging the top of each window to the
sides of the screen
 Lab:
Analyze Logs for Beaconing
Behavior
(1) On the hunt teaming homepage, configure the beaconing module as shown below
Change the potential save directory to /home/ht/Desktop/
(2) After configuring the options, press 'Run Module' to start the beacon analysis.

2
 Lab:
Analyze Logs for Beaconing
Behavior
(1) As the progress icon spins in the front end, you can watch the progress in the terminal
(2) Do not be alarmed by invalid log entries. The sample data contains two sets of logs files
and only one has valid information for beacon analysis. The other will be ignored.

2
 Lab:
Analyze Logs for Beaconing
Behavior
To view the results, open another tab in the browser and navigate to
localhost:5601.
This will open the Kibana visualizer
 Lab:
Analyze Logs for Beaconing
Behavior
By default, Kibana will only show entries from the last 15 minutes. Change
this setting to the last 5 years to view all log entries and results.

2
 Lab:
Analyze Logs for Beaconing
Behavior
Kibana will now show a list of all log entries and analysis results
 Lab:
Analyze Logs for Beaconing
Behavior
(1) To narrow down the view to just the
results, start by selecting 'result_type' in
the Fields box on the left side of the page.
(2) This will drop down a summary of all
the result types available, click 'Visualize'
to view all.
1

2
 Lab:
Analyze Logs for Beaconing
Behavior
The visualization will show a graph of all result types available.
 Lab:
Analyze Logs for Beaconing
Behavior
To view the results, navigate back to the 'Discover' tab, and search
result_type=[result_type_name]. In this case, we will use
'result_type=likely_beacons'. 1

2
 Lab:
Analyze Logs for Beaconing
Behavior
To view the generated graphs: 2
(1) Open the file browser
(2) Navigate to the Desktop
(3) Open the first image file
1

3
 Lab:
Analyze Logs for Beaconing Behavior
The generated graph represents the
results of a Fast Fourier Transform
(FFT) on the timestamps for a given
source/destination connection.

There are obvious spikes on 0.2 and

0.4 hz. These are signs of likely
beaconing behavior.
 Lab:
Analyze Logs for Beaconing
Behavior
(1) To further examine the log entries that show a potential beacon, go back
to Kibana and search for the log entries that match the information in the
title of the FFT graph.
(2) On the left side of the screen, click 'add' on the _type field to sort by type.

1
2
 Lab:
Analyze Logs for Beaconing
Behavior
Kibana will display a list of results that
match your search criteria
Notice the timestamps on the log entries.
They occur on a consistent 5 second
frequency.
 Lab:
Analyze Logs for Blacklisted
Domains
Note: The blacklisted module makes queries to a server with a database of
blacklisted IP addresses. You must have an internet connection to run this module.
(1) Configure the blacklisted analysis module as shown below.
(2) Observe the output on the terminal. Note that the module found 24
connections to blacklisted IP addresses.

2
 Lab:
Analyze Logs for Blacklisted
Domains
To view the results of the blacklisted module, search result_type=blacklisted
in Kibana.
 Lab:
Analyze Logs for Scanning
Behavior
(1) Configure the scan analysis module as shown below.
(2) Observe the output on the terminal. Note that the module found 1
potential port scan.

2
 Lab:
Analyze Logs for Scanning
Behavior
To view the results of the scan module, search result_type=scanning in
Kibana.
 Lab:
Analyze Logs for Scanning
Behavior
View the histogram of ports accessed by the potential scan:
(1) Navigate to /home/ht/Desktop in the file browser
(2) Open the new graph image

2
 Lab:
Analyze Logs for Long Durations
(1) Configure the long durations analysis module as shown below.
The module will keep the longest 2% of connection durations.
(2) Observe the output on the terminal.

2
 Lab:
Analyze Logs for Long Durations
To view the results of the long durations module, search
result_type=long_durations in Kibana.
 Lab:
Analyze Logs for Long URLs
(1) Configure the long_urls analysis module as shown below.
The module will keep the 1000 longest URLs found.
(2) Observe the output on the terminal.

2
 Lab:
Analyze Logs for Long URLs
To view the results of the long_urls module, search result_type=long_urls in
Kibana.
 Lab:
Analyze Logs for Concurrent
Logins
(1) Configure the concurrent login module as shown below.
(2) Observe the output on the terminal.

2
 Lab:
Analyze Logs for Concurrent
Logins
To view the results of the concurrent module, search result_type=concurrent
in Kibana.