RITA best practices

[bhklimk]

All

While operating in a large SOC, we are trying to use RITA and have seen tremendous number of potential beacons from the "show beacons" command. What are some best practices for filtering results? From previous experience, we know that popular pentesting tools can have beacons with a score as low as .7. Are they any other insights from the field that could help give focus?

Thanks!

BHK

[ethack]

My best advice is to export the beacon results to a csv file and open in a spreadsheet program like Excel. This makes it easier to sort based on each column. The overall score takes several metrics into account, but sometimes it's useful to look at individual metrics. We will often sort the results by connection count, but also sometimes skew or dispersion. This document explains these metrics.

You can reduce the number of results in general by double-checking your Filtering section in your config file. You can also play with the DefaultConnectionThresh and ConnectionLimit settings to limit the number of connections between two hosts that you consider to be a "beacon".