Source: www.csoonline.com – Author:
In a landscape of AI-proof malware and modular C2 kits, Jitter-Trap brings statistical rigor to catching post-compromise threats before damage spreads.
Organizations may soon be able to detect in real time stealthy “beacons,” like Cobalt Strike, Silver, Empire, Mythic, and Havoc.
Varonis Threat Labs has unveiled Jitter-Trap, a clever new technique that claims to exploit attackers’ own dodgy tactics against them, detecting the randomness cybercriminals use to stay hidden.
“Leveraging the randomness (jitter) that threat actors intentionally introduce to evade detection is definitely a novel approach to detect stealthy beacon traffic used in post-exploitation and command-and-control (C2) communications during cyberattacks,” said Agnidipta Sarkar, chief evangelist at ColorTokens Inc. “However, because jitters occur later in the attack cycle, detecting post-exploitation C2 communications cannot identify the initial compromise.”
According to Varonis (Nasdaq:VRNS), these post-exploitation tools inject random delays (jitter) into their check-ins, hoping to blend in with normal traffic. This ‘natural’ randomness, however, leaves a fingerprint that Jitter-Trap can detect and flag.
How Jitter-Trap sniffs the hidden pattern
Jitter-Trap digs into the timing of network requests made by these beacons, discovering uniform statistical patterns that rarely appear in genuine traffic, and uses them to unmask threats.
“If mathematics can turn an attacker’s evasion tactic into a detection signal, it would be very, very potent to determine the attacker through this behaviour indicator,” Sarkar added.
Varonis researchers said these beacons set a base (sleep) interval (e.g, 60 seconds) and add a jitter (+-20%), producing timed intervals uniformly distributed, between 48s and 72s for this instance. Jitter-Trap flags this as a red signal using statistical tools like Kolmogorov-Smirnov and chi-square tests.
“Sleep and Jitter are parameters related to how the beacon manages its communication or ‘polling’ intervals in the context of post-exploitation frameworks,” Masha Garmiza, security researcher at Varonis, said in a blog post. “The sleep parameter defines the fixed interval of time that the beacon will wait to check in for the next command. The jitter adds randomness to the sleep duration, as opposed to having a fixed sleep time.”
Beyond timing, some beacons randomize payload sizes or generate semi-random URLs each time, as seen with PoshC2 or Silver. When the ratio of unique URLs closely approaches 100%, it raises a behavioral alarm, Garmiza said.
Turning evasion into detection
Beacons represent one of the most difficult-to-detect stages in an attack, enabling stealthy command-and-control (C2) communication long after the initial compromise, thereby threatening data theft, lateral movement, or ransomware deployment.
As attackers tweak C2 profiles, shuffle payloads, or obfuscate binaries for evasion against the static detection methods, Jitter-Trap attempts a defense reinvention by focusing on behavioral metadata that attackers can’t easily disguise.
“Even if initial security measures fail to recognize and block a beacon sample, the detection of beacon traffic during the post-exploitation phase remains crucial,” Garmiza added. “ Jitter-Trap demonstrates how patterns of randomness, often employed for evasion, can be leveraged to uncover the presence of such traffic.”
The blog post noted that since jitter-like patterns rarely occur in normal traffic, just 4% compared to 8% for consistent polling, Jitter Trap stands out as a high-precision detection tool in real-world environments.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/4010868/turning-evasion-into-detection-varonis-jitter-trap-redefines-beacon-defense.html
Category & Tags: Security, Security Software, Threat and Vulnerability Management – Security, Security Software, Threat and Vulnerability Management
Views: 0
