Rita Fields Cheat Sheet

[kyleEeeEEeeee]

trafficstars

Hello,

I'm running a ton of test data through RITA in an effort to advocate for its use in my organization. People are going to ask what the additional fields are (other than the obvious score, src, dest), but I don't know how to answer. Can you please provide a description of the additional "Beacon" fields. Specifically TS score, DS score, Dur score, Hist Score, and Top Intvl? Thanks in advance!

[Zalgo2462]

Hello, here are the descriptions for the fields you mention:

• TS score: Timestamp score. This score conveys how well the set of delays between connection timestamps matches what we'd expect from a beacon.
• DS score: Data size score. This score conveys how well the set of sizes of the outgoing connections matches what we'd expect from a beacon.
• Dur score: Duration score. This score is higher when the two IPs are connected throughout a larger portion of the observation period.
• Hist score: Histogram score: This score is higher when the number of connections over time is consistent throughout the observation period.
• Top Intvl: Top interval: This is the mode delay in seconds between connections. So if there is a beacon between the two IP addresses, this is the most common amount of time the beacon waits before connecting back to the destination IP address.

These metrics are calculated in https://github.com/activecm/rita/blob/master/pkg/beacon/analyzer.go#L92.

A (somewhat out of date) lab/ cheatsheet can be found at the bottom of https://activecm.github.io/threat-hunting-labs/beacons/

You can also find technical descriptions of the various metrics in the READMEs in the subdirectories at https://github.com/activecm/rita/tree/master/pkg.

[kyleEeeEEeeee]

Wow thank you so much for the quick response!

[Zalgo2462]

Here is an additional RITA cheat sheet: https://www.activecountermeasures.com/wp-content/uploads/2021/06/RITA-Cheat-Sheet.pdf