Exclusives Featured

Detecting Cryptocurrency Mining with Vectra Cognito

Can you guess the next security threat? Perhaps if you’re in tune with what’s going on in the exploit market or you’re a zero-day researcher you’ve got a great idea. But sometimes the next big attack comes from left field. And you may never even realize that you’re secretly working for the people exploiting you.

The Rise of Mining

The explosion of Bitcoin and other cryptocurrencies caught the market off-guard. Traders and speculators were driving the costs of all types of cryptocurrency through the roof over the past year. Prices kept climbing and climbing, approaching $20,000 per Bitcoin at the height of the craze. People were saying that they wished they’d have invested earlier or had a way to mine coins faster to take advantage of the price.

However, there were indications that something was going on. Vectra is a security company that has a threat detection platform called Cognito. Cognito uses artificial intelligence to identify attacker behaviors and uncover behaviors that security professionals may not be immediately aware of. Cognito also allows you to prioritize your response to those behaviors and find out the real story behind what’s going on.

So, how does Cognito play into the world of cryptocurrency? Cognito is a platform that has been widely deployed at higher education institutions. These types of environments are always like the Wild West. The student networks are usually a collection of poorly patched and secured machines that operate at the minimum function level necessary to do homework and play games. That means a lot of targets for advanced malware and exploits.

Cognito first noticed an uptick in the number of crypto mining malware applications right after the start of the higher education year started in late August and early September. The number of exploited systems mining for cryptocurrencies spiked around November 2017, which was followed shortly thereafter by a spike in the price of Bitcoin from around $7,500 per coin in November to a high of over 18,000 per coin in late December.

Of course, by December the high education institutions had shut down for the end of the semester. Accordingly, so too did the number of mining machines fall at the same time, underscoring the fact that these machines were infected on the student side of the network. As soon as the students returned in January 2018, the mining started once again.

Finding A Bitcoin In A Haystack

How can Cognito find cryptomining in action? Firstly, it doesn’t have traditional signature-based detection. Signatures are a reactive way to detect things after they’ve already happened. Even the most basic malware detection systems today don’t rely on signatures. Heuristic behavior is necessary to find new patterns before they can be used for nefarious purposes.

Cognito takes this one step further. Instead of looking just at heuristic behaviors, it looks at the metadata around those behaviors to build intent. For example, think about a remote connection initiated to a system. Many of these connections are initiated by clients talking to servers on the public internet. However, when a system from outside your network initiates a connection like this, it might be a sign of an intruder. Cognito can look at the packets in the connection to determine if it’s a piece of software automating the process of something like data collection or if it’s an actual intruder performing reconnaissance on your network.

When you think about it, this approach isn’t all that dissimilar from ones that law enforcement uses today. When I was discussing this with Rich Stroffolino, he brought up the way that local sheriff’s offices look at things like increased power consumption in homes or the lack of snow on a roof during the winter to track down potential marijuana growing operations. They don’t need to see the actual operation at work to know something is going on once they start putting together all the signs that point to something being likely.

The more that Cognito sees, the more that it learns. The more it learns, the better the picture that Cognito can paint for security professionals. The more complete the picture, the more knowledge that those same security professionals can bring to bear to prevent attacks and conserve resources. In a case like cryptomining, the power consumption on a campus infected by large numbers of compromised mining machines must have been noticeable. By using the information from Cognito to inform students how best to remove these illicit miners, the power consumption can be brought back to normal levels and make everyone happier in the long run.

Bringing It All Together

It’s fascinating what you can learn when you take a closer look at something. When it comes to security, it can be harder than you think to notice the little details that end up becoming a bigger thing. In the specific case of the huge rise in cryptocurrency miners, thanks to Vectra’s Cognito it was easy to see that something was going on long before it became a bigger deal. With the acceleration of security malware and exploits being used to fund more adventures in hacking, perhaps it’s time to look at tools like Cognito to make a difference in the way we approach security.

If you’d like to read the report that is referenced in this blog post, make sure to head over to https://vectra.ai and look for it next week during RSA 2018!

About the author

Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/

Leave a Comment