(And Neutralize Hackers Operating Inside Your Cloud)
What is Command-and-Control?
Within the realm of cybersecurity, Command-and-Control (abbreviated as C2 or C&C) is the means by which attackers remotely control malware or an implant in a victim's network. C2 is an extremely important tool for the attacker in most cases. First, C2 allows the attacker to learn where their malware or implant landed within the victim's network and identify how to move laterally to critical data or systems. Then, C2 allows the attacker to exfiltrate data or deploy additional damaging malware. C2 enables an attacker to utilize a "land-and-expand" approach to turn one exploitable vulnerability into a highly damaging cyber-attack. According to a 2016 article in Computer Weekly, Most cyber security strategies ignore the way attackers really work: "The best attackers use sophisticated tools – or cyber weapons – to compromise machines, to 'land and expand' inside a network, and to steal or destroy information."
Why You Need to Know About Command-and-Control and Defend Against It
Command-and-Control is a critical part of cyber-attacks, thus disruption of C2 presents a great opportunity for defenders to prevent damage from attacks on their networks.
Even with strong defenses, you still need to know about C2. Cybersecurity is Asymmetrical Warfare: the defenders must catch everything 100% of the time while the attackers only need to find one exploitable vulnerability. Therefore, defenders need to realize that the question is not IF they are breached, but WHEN. In pragmatic terms, businesses should not focus 100% of their cybersecurity effort on prevention only at their inbound perimeter. Adhering to the concepts of "Cyber Resilience" and "Defense in Depth" is a better way to holistically defend an organization.
Detecting C2 indicates a breach! C2 traffic will not exist on your network without some intrusion. Various incident response companies indicate that it often takes organizations over 200 days to identify that an intrusion has breached defenses and is active on their network. This is unacceptable when a mechanism to reliably detect C2 traffic can detect a breach from the first C2 network packet.
C2 is a critical component in the vast majority of attacks (see Aside: Are there attacks without C2?). By eliminating C2, you can stop the cyberattack at the very moment it penetrates your network. The absolute first function of C2 is to let the attacker know the initial exploitation technique was successful. If C2 is blocked, the attacker may be unable to determine if the exploitation was successful or prevented by a defense they were unaware existed on the victim's network. The attacker will likely continue to try different vectors to gain access and different C2 mechanisms, but the deterrence caused by stopping all outbound C2 traffic is likely to cause the attacker to move on to another victim.
Aside: Are there attacks without C2?
Some attacks can occur without C2, though these are rare and much more challenging for attackers to execute. An attack without C2 requires the attacker to build into the malware in advance all logic required to inflict intended damage. Occasionally ransomware and computer worms are designed specifically to inflict damage without requiring Command-and-Control. In one such case, SentinelOne's threat researchers found that ransomware Zeoticus 2.0 operates without C2 and stated: "Unusually, there are no connectivity requirements for the payloads to execute. Zeoticus ransomware will execute fully offline, with no dependence on a C2 (Command & Control)." Many forms of ransomware do require C2 in order to exfiltrate data and require the victim to pay for the data return or threaten to leak the data.
Attackers' C2 Methods to Avoid Detection
Attackers strive to evade detection by using Command-and-Control methods that blend in with normal activity and work around any security mechanisms the victim has in place. The MITRE ATT&CK Framework's description of Command-and-Control tactics lists 16 techniques with various sub-techniques. Before layering on additional techniques, attackers must start by making three main tactical decisions:
Inbound vs. Outbound: The attacker needs to determine if the Command-and-Control traffic is going to be initiated by calling inbound to the victim's network or by having the malware implant call outbound to C2 infrastructure. Network and host-based firewalls are almost always much stricter against inbound traffic than outbound traffic, so attackers usually have the implant initiate C2 outbound to infrastructure they control hosted somewhere on the internet.
Protocol Specifics: Attackers need to determine the best way to encapsulate C2 communications within protocols commonly seen on most networks so that it is secure but also blends in. According to MITRE ATT&CK framework C2 tactics, attackers have been observed using HTTPS, FTP, Email, DNS and many more protocols. It is also possible to deliver C2 through removable media or steganography in photos. C2 Infrastructure Hosting: Above we said that threat intelligence to identify the C2 infrastructure is the most widely used method to detect and stop C2 traffic. Attackers understand this and therefore host their C2 infrastructure using different methods to evade this defense. Let's examine a few of the ways a C2 implant can find infrastructure hosted on the internet:
Static IP: Ultimately, an implant on the victim's network needs to communicate with the IP address of the C2 Server. If the C2 infrastructure is hosted at a static IP, then the implant just needs to know that IP. The downside for the attacker is that if they ever need to move that C2 infrastructure to a new IP address, implants pointing to the old IP will not know where to call to and essentially will be "lost" to the attacker.
1 domain, 2 domains, n domains: Attackers can use DNS just like normal developers do: to provide flexibility in where and how the actual resource or site is hosted. Attackers can create implants with a list of any number of domains that the implant can call to for Command-and-Control. The implant can try the domains on the list in any order desired (round-robin, random, etc.) to look for the C2 infrastructure. This allows the attacker to host the C2 site at different domains and IP addresses.
Domain Generation Algorithms: Instead of a static list of n domains, attackers also utilize domain generation algorithms in which the implant will call to domains generated according to the algorithm. The attackers also have the algorithm and know what domains will be called in the near future, allowing them to purchase the domain and host C2 infrastructure behind it in preparation for the implant's C2 callout.
Advanced C2 Domain Tactics: Discussion coming in a future blog post!
Defenders' Methods of C2 Detection
Traffic Pattern Recognition and Packet Inspection
Network defenders currently have several tools and methods at their disposal for detecting and stopping C2 traffic. One method utilized to detect and prevent some C2 traffic is to inspect and identify C2 traffic structure. Patterns in protocol and port usage over time might reveal anomalies when compared to normal traffic.
Unfortunately, attackers have adjusted their tactics to make their traffic look exactly like legitimate traffic. One technique attackers use to conceal their exploitation mechanism is to delay their first C2 attempts for some time (e.g., Windows malware delays coinminer install by a month to evade detection). Another problem with traffic pattern recognition is that end-to-end encryption for protocols such as HTTPS limits the aspects of the traffic that can be examined.
Threat Intelligence on Command-and-Control Servers
The main method being utilized today to detect and prevent C2 traffic is threat intelligence to identify C2 infrastructure. All traffic to and from external destinations known by threat intelligence to be C2 infrastructure can be detected and prevented as malicious C2 traffic. However, the effectiveness of this method is limited to what is already known by threat intelligence and further limited for an organization by what threat intelligence feeds they can obtain and aggregate within their budget. C2 infrastructure locations not yet known to threat intelligence will not be blocked by this method.
Threat intelligence identification of C2 infrastructure is an important tool that defenders have against attackers, but it is reactive and will not stop future threats. The SUNBURST cyber-attack (i.e. the SolarWinds incident) illustrates this. C2 domains utilized by SUNBURST are now known and available (see MANDIANT’s published C2 domains) to prevent further damage from these attackers. However, threat intel at the time didn't stop hundreds of organizations–many with significant defenses–from being hacked.
Attackers understand how defenders use threat intelligence and have developed C2 techniques to avoid being detected by threat intelligence-backed defenses. More on these advanced C2 tactics are coming in a future blog post.
Dart Frog Cyber Stops C2 Traffic in Your Cloud Environment
So with attackers having the upper hand on infiltrating networks, what can be done to stop C2? Dart Frog Cyber's ADEPT technology can stop 99.9% of Command-and-Control traffic in your cloud and data center environments. Why not 100% you ask? Let's be honest, there is a theoretical possibility for malware to communicate using fans, LEDs, or other off-the-wall approaches:
The ADEPT product might be the most effective cybersecurity money you spend; our approach will dramatically increase your security at an incredibly affordable price. Dart Frog Cyber's ADEPT Egress Control technology restricts outbound network activity of cloud workloads in your data centers to only what is required and approved. This prevents C2 communication and protects you against damage from intrusions. Dart Frog Cyber's new approach is advancing the status quo to detect and prevent the next attack! Stay tuned to this blog for details…
About the Author
Tim Brennan is CEO and Founder of Dart Frog Cyber. His passion is using data-driven methods and deep domain expertise in cybersecurity to build powerful cybersecurity products. After his previous startup (Cyber Algorithms) was acquired by Thycotic (now Delinea) he worked four years as a Director of Software Engineering building advanced yet easy-to-use cybersecurity products. Prior to starting Cyber Algorithms, Tim worked as a Cyber Operations Officer and a Data Scientist in the US Intelligence Community.
Comments