New Detection Method Uses Hackers’ Own Jitter Patterns Against Them

Cybersecurity experts at Varonis Threat Labs have identified a clever new way to spot hidden cyberattacks, even those used by highly skilled state-sponsored groups and criminal gangs.

Their new technique, called Jitter-Trap, focuses on identifying patterns of randomness that hackers use to stay secret. This fresh approach aims to catch a tricky part of cyberattacks known as “post-exploitation and C2 communication.”

For your information, attackers often use special software, or beacons, that send signals back to their control centers. These beacons are designed to be hard to find by using random timings, like a heartbeat that speeds up and slows down without a clear pattern.

The Jitter-Trap method flips this idea altogether. Instead of getting fooled by the randomness, Varonis’s research shows that this very randomness creates its own unique fingerprint that security teams can detect.

These beacons are part of larger hacking tools, sometimes called post-exploitation frameworks, such as Cobalt Strike or Sliver. While these tools can be used for good purposes, like testing security, criminals may use them to quietly stay inside a network, steal data, or take over computers. These advanced tools include ways to hide their activity by making their network traffic look like normal internet use, for example, a harmless Microsoft update or a common website visit.

Traditionally, security teams look for known bad files, unusual user actions, or specific network patterns to find these hidden threats. However, hackers are always updating their methods, making it easy to bypass old detection rules or create new ways to avoid being caught. Varonis’s Jitter-Trap specifically looks at how beacons communicate, as per their blog post, shared with Hackread.com.

When these beacons check in with their operators, they use a sleep time and a jitter setting. The sleep is how long they wait between checks, and jitter adds randomness to this wait time. While many legitimate online services also use regular checks, the specific type of randomness created by a beacon’s jitter settings is usually unique.

Moreover, Varonis found that even though jitter is meant to hide activity, the random timings it produces, especially over longer periods, form a recognizable pattern, like a uniform distribution, that is uncommon in normal network traffic. This allows security experts to identify these subtle differences. The technique also applies to other random elements, such as the size of data being sent or the way web addresses (URLs) are generated.

This detection method helps security professionals better defend against advanced threats. By looking for these specific random patterns, organizations can spot and stop hidden cyber activity more effectively, using the attackers’ own evasion techniques against them.