Command and control (C2) in the context of cybersecurity refers to the stage in a cyber attack where attackers establish a centralized infrastructure to communicate with and control compromised systems or devices within a targeted network.
A study by Palo Alto Networks found that over 90% of detected malware used some form of C2 communication to report back to the attacker.
According to Verizon's Data Breach Investigations Report, nearly 70% of breaches involved some form of C2 activity, highlighting its role in cyber attacks.
Command and Control (C2) communications are pivotal for attackers to maintain control over compromised systems, directing them to execute malicious activities or exfiltrate data. These communications represent a critical phase in the attack lifecycle, enabling persistent, stealthy access to the victim's environment. This guide emphasizes the importance of identifying and disrupting C2 communications to mitigate threats and safeguard organizational assets.
Understanding How Attacker's Use Command and Control Channels
In any network-based attack, the attacker relies on a command-and-control channel (C2) to carry out their actions. By deploying malicious software on a host machine, they establish a connection with an external server. Surprisingly, it is the instructions received from the external server that dictate the actions taken by the infected host machine, allowing the attacker to progress their attack.
Command-and-control tools, such as Cobalt Strike and Metasploit, are commonly used by attackers. These tools support encryption of the channel and employ techniques like domain fronting and session jitter to evade detection.
Detecting Command and Control Regardless of Encryption
Vectra AI takes a different approach to detecting command-and-control channels. Regardless of encryption or evasion techniques, Vectra's security-led approach ensures detection. Rather than relying on a math-led approach, Vectra's security research team focuses on behavior patterns.
Upon studying the behavior of a command-and-control channel, Vectra's team identified that the clearest indicators lie in the shape of network traffic over time. By analyzing this time-series data, Vectra's data scientists employed deep learning models, specifically LSTM (long short-term memory), which excel at understanding events at different timescales. This allows Vectra to effectively identify the nature of a command and control conversation, regardless of the specific tools used.
What does normal traffic look like?
Consider a representative example of benign traffic from an external system below.
Example of benign beacon data transfer traffic.
In the above example, we see a host machine sending regular signals to an external server. These signals, known as beacons, are commonly used by various services to keep systems connected and communicate effectively.
However, beacons can also be exploited for malicious purposes. It's important to understand the subtle differences between a legitimate use of beacons, such as in stock tickers or chat apps, and when they are used for malicious command-and-control channels.
What does suspicious traffic look like?
Let's explore a specific case of a malicious encrypted tunnel to better grasp the concept:
Example of malicious command and control data transfer traffic.
Do you observe the distinct patterns in the graph above? These spikes indicate the attacker's commands being sent and the infected system's response. The initial spike in "receive bytes" occurs without any prompt and is immediately followed by the infected machine's reaction.
By analyzing these patterns, Vectra's data scientists have discovered an effective way to recognize this behavior. The time-series data that represents the command-and-control channel behavior shares similarities with the data used in speech recognition and natural language processing. This similarity has led the team to adopt a deep learning model for identification.
Vectra utilizes a powerful type of neural network known as an LSTM (long short-term memory) to detect attack behavior. This specialized architecture is adept at analyzing events across multiple timeframes, allowing for a comprehensive understanding of command and control conversation data. The LSTM is trained on a diverse range of real and algorithmically generated samples, capturing various scenarios, tools, configurations, and environments. As a result, the model is able to identify the overarching patterns indicative of a control channel, regardless of the specific tools employed.
Vectra uses recurrent neural networks to differentiate between malicious command and control communication from benign beacons.
The algorithmic approach used in this analysis was made possible because of how Vectra formats network session data. While Vectra can provide Zeek-like metadata, its custom parser goes beyond standard Zeek capabilities by offering sub-second interval parsing of network communications. This level of detail allows for clear visibility into both benign and malicious communications, enabling Vectra's data science teams to utilize the most effective algorithms for a wide range of problems.
The combination of unique metadata and sophisticated algorithms allows Vectra to effectively identify attackers. By focusing on the communication data itself, rather than just surface-level signals, this approach remains resilient against changes in attacker tools and even encrypted traffic. Additionally, the clear behavior signal eliminates the need for suppression filters that may inadvertently filter out important information or stealthy attacker actions.
Vectra detection for an encrypted command and control channel.
Command and Control communications are a cornerstone of cyber attacks, necessitating proactive detection and disruption strategies. Vectra AI offers advanced solutions that empower security teams to detect, investigate, and neutralize C2 threats in real-time. Contact us today to enhance your defense against sophisticated cyber adversaries and protect your critical assets.
C2 communications are methods used by attackers to maintain communication with compromised systems within a target network. These channels allow attackers to issue commands, steal data, and deploy additional malware.
How Do C2 Communications Operate?
C2 communications typically operate by establishing a remote connection between the attacker's server and the compromised system. This can be achieved through various protocols such as HTTP, HTTPS, DNS, or custom protocols.
Why Is Detecting C2 Communications Challenging?
Detecting C2 communications is challenging due to their often stealthy nature, use of encryption, and mimicry of legitimate network traffic, which helps them evade traditional detection methods.
What Are Common Indicators of C2 Activity?
Common indicators include unusual outbound network traffic, repeated connections to the same IP addresses or domains, irregular data flows, and known malicious IP addresses or domains.
How Can Organizations Detect and Disrupt C2 Communications?
Organizations can use a combination of endpoint detection and response (EDR), network traffic analysis (NTA or NDR), intrusion detection systems (IDS), and threat intelligence feeds to detect anomalies and known C2 patterns.
What Role Does Threat Intelligence Play in Identifying C2 Communications?
Threat intelligence provides information on known malicious IP addresses, domains, and signatures associated with C2 communications, enabling security teams to more effectively identify and block these threats.
How Do Attackers Conceal C2 Communications?
Attackers conceal C2 communications using techniques like domain generation algorithms (DGAs), fast flux networks, and encryption to hide their traffic within normal network activity.
Can Sandboxing Help Identify C2 Communications?
Yes, sandboxing can help identify C2 communications by isolating suspicious files or URLs in a controlled environment to observe their behavior, including attempts to establish remote connections.
What Are the Consequences of Unchecked C2 Communications?
Unchecked C2 communications can lead to data breaches, financial loss, operational disruption, and long-term compromise of network infrastructure.
How Important Is Incident Response in the Context of C2 Communications?
Incident response is critical for containing and mitigating the damage of C2 communications. A swift response can prevent data exfiltration, malware spread, and further system compromise.
