In Episode 1 “Enter the Maestro”, the Hunter uncovers a mysterious band of men stalking some important locations in the Kingdom. These men, hiding in plain sight, are gathering information for perhaps a greater attack. The Hunter tracks them down and determines that they are sending information back to the Maestro, a new mysterious member of the Guild.
Malware is a constant challenge within any organization. Some malware can be innocuous or merely annoying. Other malware can pose serious problems. Command and Control malware allows outside attackers to pass instructions to the malware residing on a host. The malware then executes these instructions for many different purposes. The activity could be an escalation of privileges, gathering system information or leap frog attacks onto other vulnerable machines. This type of malware can sit unnoticed by many users. Sometimes it is stumbled on; other times anomalous activity on the network can indicate compromise. For example, unusual traffic contacting hosts outside the home network is a sign of beaconing. The communication method used by the men in the story is very similar to the tactics of Command and Control (C&C) malware.
This type of activity does not always immediately indicate data exfiltration but can be the precursor to other types of attacks. In many data breaches seen today, reconnaissance and data gathering activities are typical as the attack unfolds. Identifying these compromises early on is crucial to shutting down a possibly very serious situation. Many recent breaches have been executed by using a C&C attack. Attackers compromise a few, or even just one machine, and then leapfrog to other systems using that compromised machine as the internal launching point. One of the major challenges with identifying these leapfrog attacks is that the internal usage of the system can sometimes look like legitimate network and application traffic.
C&C malware has several common attributes:
- Installed on local machine through the exploitation of a vulnerability – Most malware will exploit a vulnerability (in some cases 0-day vulnerabilities) to compromise the local machine and install the C&C client.
- Communicate back to a Command server – The local malware (client) communicates back to a central server for instructions. This communication can be over known ports, e.g. DNS, HTTP or other protocols, that are typically allowed through a company firewall.
- Communications and/or code may be encrypted or obfuscated – Many times, the communications and the actual malware code will be obfuscated to avoid detection. Many different methods are used for this so relying only on signature based defenses is not effective. The malware and communication methods and modes are almost always purposefully built to avoid detection.
- C&C malware may use known bad hosts, IP ranges or domains – Common, or widely distributed, malware may communicate back to a known bad host. These hosts are usually identified through prior compromises or code analysis and communicated through threat intelligence feeds.
Episode #1 “Enter the Maestro” highlights several of these elements:
- The men are lurking in key points in the kingdom gathering information.
- The men send daily reports back to the Maestro mimicking C&C malware beaconing back to the central server.
- The communications are encrypted and therefore the information being sent back to the Command server is obfuscated.
- The location of the Maestro (the Command server) is a location outside the Kingdom and beyond the reach of the Hunter indicating a possible threat actor.
Organizations must constantly be on the lookout for these types of behaviors. Some critical capabilities are necessary to deal with C&C attacks:
- Network and endpoint monitoring that is constant and comprehensive, including capabilities such as full-packet capture and behavior-based threat detection on hosts.
- Advanced analytics that can sift through massive amounts of information, such as network traffic, in near-real time to spot suspicious behaviors and accelerate investigations.
- Malware analysis using methods that don’t rely on file signatures and go straight to the actual behavior of executables, whether collected on the network or endpoints, to detect hostile activity.
- Incident detection and response practices that align security personnel, processes, and technologies to streamline and accelerate workflows so security operations teams can spend less time on routine tasks and more time defending high-priority assets and addressing the riskiest threats.
Come back on Tuesday for the next episode!
The post E1: Enter the Maestro – Technical Dialogue appeared first on Speaking of Security - The RSA Blog and Podcast.
