Maksim Kabakou - Fotolia

Security Think Tank: Strategies for blocking malware comms

As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure that they detect such methods and that all C&C systems are removed, including “sleepers” designed to be activated at a future date?

One of the most important aspects for defenders to understand about how to keep bad people out is that attackers need one thing: access. If they don’t have access, either physically or logically, they can’t accomplish their goals of getting into your network to get what they aim for, whether it be for espionage, data theft, exploitation, destruction, and so on. 

From a cyber adversary standpoint, an attacker will often maintain access and persistence in a network by using a technique known as command and control (C&C), which allows an adversary – or their piece of malware – to “call back” to another command server to receive additional instructions or execute certain actions by the adversary, for instance install additional software/malware that can be further used to accomplish the goals of the attacker. 

To combat this, there are many ways that network defenders can prevent command and control traffic within their network. To start, a robust security system should always take into account how to restrict access to only those who need it (authorised) for both physical and logical access. Another policy to practise is often referred to as defence in depth, which layers security controls together so that no one control is the “weak” link if the control fails, which they often do. 

Although we can never guarantee that an adversary cannot gain access to a network, the more layers of security you have in place to prevent a wholesale compromise, the better. A modern assumption for security leaders is that organisations should assume they are compromised and work on hunting for adversaries in their environment. 

However, we should also build multiple speed bumps to slow an attacker down, so that you have a chance to detect it before it becomes a major headache. Detecting and preventing C&C activity is no different.

C&C is vital for an adversary to “talk back” to their control server in order to do more things once they’ve got a foothold within a network. While there are many ways an adversary can establish C&C within a network, often they accomplish this by using malware installed via email spear phishing, generic phishing, or via an infected website drive by download or infected website watering hole attack. 

Once inside, the malware can “call back” immediately to a predetermined location outside the network to receive additional instructions, or sit quietly looking or waiting for certain things to happen. This traffic can be crafted to appear similar to other traffic that regularly goes out of the network using pre-established protocols.

Most of the time, firewalls are not looking for bad stuff on the inside of the network, only from the outside, so it is easier for attackers to send out than it is in. More advanced C&C traffic will use encryption to further obfuscate itself from legitimate traffic.

How can you stop this from happening? There are multiple ways to fight C&C traffic.

First, try to get a baseline of network traffic across the organisation. This may sound daunting, but most networks have consolidation points where network traffic comes in and out of its network. If a network defender analyses the type of traffic going out of the network over a period of time and understands what type of traffic it is, they have a better chance of finding bad things. For this, get a summary of network protocols and look for anomalies. 

Second, look at the destinations that traffic is going to. While it’s not always easy to determine bad traffic, if you are a network defender at a small company that only does business in the UK and there is a lot of traffic to Asia or South America, you may want to explore more. 

There are also quite a few tools that can also help to identify C&C traffic within a network. Most respected malware tools have some form of capability to identify a piece of malware – and those that have C&C capability – on a protected device. They can often spot anomalies in configurations where many of these pieces of malware try to live quietly to operate. 

Because many of the malware tool providers have also layered their toolsets, they have increasing capabilities to use threat intelligence to identify bad things inside a network using intelligence from other sources. They can also analyse the full path of communication on the device they are protecting to help identify open communications ports to known suspicious sites. 

Another way to identify C&C traffic is to use advanced networking equipment that uses security capabilities to identify and prevent this type of traffic from happening. Many tools will analyse packets as they come into the network and quarantine suspicious traffic before it gets to its intended destination.

Although no tool is perfect, by layering your defences and always staying up to date with modern security practices, you have a better chance of keeping adversaries out of your network.

Read more on Hackers and cybercrime prevention

Data Center
Data Management