Security Think Tank: Severing C&C comms is key, but complex

There are several different command and control (C&C) communication techniques used by adversaries to issue instructions remotely and maintain control of an organisation’s compromised systems – a crucial stage in the cyber attack chain (also known as the cyber kill chain).

To interact with a compromised system, communication channels are established between C&C servers and backdoors or other malware.

Using backdoors enables attackers to retain unauthorised access to targeted systems and networks. Multiple backdoors may be exploited simultaneously, adding to the challenge of detecting and disrupting C&C infrastructure. Also, attackers may run multiple C&C servers, so that if one is blocked, communications with the compromised system can be maintained.

By severing C&C communications, organisations can stop attackers from extracting or corrupting data, thereby breaking the cyber attack chain. But this no simple undertaking, as attackers discover new techniques to evade detection and establish communication channels covertly.

To start with the basics, organisations should apply a minimum set of fundamental preventative and detective security controls, such as malware protection, system hardening, patch management, firewall configuration, network monitoring and security event logging. Checking DNS logs, for example, can help organisations identify outbound network connections to malicious servers, such as those associated with botnet C&C servers.    

Organisations should also establish a baseline of normal, acceptable and expected system and network activities. This will help them to distinguish anomalous data flows from standard network traffic and detect communications that deviate from expected protocol behaviour, indicating unauthorised use of network protocols.

To achieve multi-layered protection, organisations should deploy network and endpoint security tools that monitor outbound traffic to identify any devices making contact with C&C servers. Alerts should be triggered whenever potential indicators of compromise or suspicious network communications are detected, so that organisations can determine whether to continue monitoring or otherwise block the C&C activity.

Threat intelligence should also be used to obtain information on known C&C activity, including addresses, tactics and indicators of compromise. This information enables organisations to understand new and evolving C&C techniques and adapt their approach to detection accordingly. Engaging with external parties, such as suppliers, security providers and government agencies, can help organisations to acquire pertinent information.

Detection, alerting and remediation of C&C communications can be a significant challenge, but a focus on defending against C&C traffic is essential to get ahead of attackers before they exfiltrate and exploit your data.