Command and control traffic: How to stop the threat

When you’re defending a network, an essential piece of keeping threat actors out is denying access. If the bad guys are stuck on the outside, they will remain unable to accomplish their nefarious goals, whether it is theft of data, its destruction or espionage. Attackers have begun utilizing multiple command and control (C&C) systems to communicate with backdoors and other malware to maintain access and persistence in a network, but there are many ways to prevent C&C traffic from leaving a network.

The way C&C works is that the systems allow cyberthreat actors to enable their malware to “call back” to a command server to receive additional instructions to execute new orders such as installing additional malware. Once compromised, it can be difficult to ensure all C&C systems have been removed, especially those that are “sleeping,” slated to be activated at a later date.

Prevention is Key

A security program should ensure that it accounts for how to restrict access to only those who require it. Another policy to practice is to possess several layers of security controls so that no one control can be a “weak” link, in the event that a control fails. Should these controls fail, it’s best to ensure that attackers are met with several layers of security, rather than just one.

No one can ever guarantee their network is inaccessible to hackers and today most security leaders work on the assumption that their organizations are compromised. Their work is twofold: hunting for adversaries within their environment and keeping them out.

C&C traffic is essential for cyber threat actors to get more done once they have acquired access to the network. Threat actors establish this by using malware installed via generic phishing or the email variety, through infected website “drive-by” or “watering hole” attacks. Once within the network, the malware may “call back” immediately or lay dormant within the network until they receive additional instructions from the command center.

The “call back” traffic can look similar to the regular traffic that leaves a network. Firewalls generally are not looking for bad stuff from inside the network, so its easier for attackers to send stuff out than to get stuff in. The really advanced C&C traffic will go the extra step to use encryption to further disguise itself. So just how do you put an end to C&C traffic?

Get a Baseline

The first thing to do is to get a baseline of network traffic across the organization. This may seem like a relatively daunting task, but most networks have consolidation points where network traffic enters and leaves. If you analyze the traffic leaving the network over a period and identify the traffic type, you significantly increase your chance of identifying the bad apples.

Analyze Traffic Destinations

Looking at the destination of the traffic leaving the network can be very telling. For example, if you’re a firm based in Southeast Asia that largely only does business in the region, seeing significant traffic heading toward Europe or the Americas should raise some red flags.

Use the Right Tools

There are several tools that can help identify C&C traffic within a network. Respectable malware tools usually have the capability to identify malware on protected devices, enabling them to spot anomalies in configurations. Many of these tools also utilize layered tool sets, with increasing capabilities to use threat intelligence to identify bad traffic within a network.

Alternatively, advanced networking equipment that leverage security capabilities can be used to identify and prevent C&C traffic from happening. These tools will analyze packets as they enter the network and quarantine suspicious traffic before it reaches its intended destinations.

Ultimately, there is no perfect solution for C&C traffic but layering defenses and constantly staying up-to-date with security practices can go a long way toward keeping networks secure.

Brian Hansen is FS-ISAC Intelligence Officer, Asia-Pacific