Artificial intelligence continues to evolve, but most IT systems still need human intervention to stay operational. Threat actors face the same issue when controlling their malware.
Consider the malware cyber kill chain. Its components have remained the same, but when you dig into the details, many aspects have changed, requiring enterprises to update their protections. Many aspects of scanning for vulnerable systems, propagation, and botnet command-and-control (C&C) networks have become automated, but here, too, many details have changed over the last five years.
Let’s look at how C&C systems have evolved and the steps enterprises should take to protect their operations.
In olden times, when botnets and their C&C servers used Internet Relay Chat (IRC) to communicate, an enterprise could just block the IRC port to break the C&C connection and be done with it. Because IRC traffic was usually unencrypted or exchanged through public IRC servers, enterprises could also easily monitor the connection.
Modern C&C systems rely on new schemes to go beyond IRC connections, including the use of the Internet Control Message Protocol or domain name server tunnels, Simple Mail Transfer Protocol, or even VPN connections, but many network security tools can flag these tactics as potentially malicious. As a result, attackers are adding new alternatives to their C&C tactics, among them the domain generation algorithm (DGA), peer-to-peer (P2P) communications, social media, cloud services and the Tor anonymity network.
It’s as important for an attacker to have a robust C&C as it is for an enterprise to have the means to legitimately protect its endpoints.
An attacker’s goal: Maintain persistence
A C&C network must be reliable enough for a command to get to the majority of the systems in a network, and it must be difficult for targets to identify and block. A C&C network doesn’t need to be 100% reliable, as thousands, hundreds of thousands or even more systems participate in a botnet. For targeted attacks, reliability may be more important.
A C&C server may use multiple layers of misdirection and a variety of methods to establish and maintain network connections. The more challenging it is for a target to identify an infected system, the longer an attacker can maintain persistence on the target’s network. However, maintaining persistence doesn’t mean remaining undetected; rather, it means the attacker can maintain access to achieve his goals.
A common approach to maintaining persistence is to escalate commands. An infected endpoint may have a very simple task as its first command — to connect to a command-and-control server. The system can then command the endpoint to connect to a next-stage C&C, which is where the actual communication can take place or where the endpoint uploads the stolen data, like a dead drop.
The C&C can also use authentication and encryption to make it more difficult to analyze its presence. If, for example, a C&C is created on top of an existing service, it could be difficult for the target to differentiate malicious traffic from legitimate traffic. In high-security environments, side-channels can not only be used to steal targeted data, but they can also host the C&C itself.
With Tor, DGA, social media and P2P communications, it’s easy to see how these services can be abused to create a C&C. DGAs and P2P have been around for a while, but attackers continue to implement them in new malware because of their effectiveness at establishing the first stage of a C&C connection. It’s difficult to block malware from using DGAs unless enterprise security tools can monitor for DGAs in use. In the meantime, Tor has also been used to support an entire C&C mechanism in other malware.
Instagram, Twitter and other cloud services are also favorite targets of malware authors. In many cases, traffic to and from infected websites can traverse enterprise defenses. Additionally, that traffic is often encrypted, so it’s difficult to block or analyze the communications.
In addition, IoT botnets, which include consumer network devices, security cameras and embedded systems, have emerged as a serious threat. Last year’s VPNFilter attack, for example, was reported to have infected more than 500,000 devices worldwide.
Enterprise defenses against command-and-control servers
To combat the evolution of C&C systems, enterprises must use updated tools that address new tactics. Firewalls and network monitoring identify suspicious network traffic that could be a C&C. Some enterprises also employ proxies to control access outside of the local network. These can inspect all traffic, including encrypted traffic, albeit with privacy implications to consider.
Companies with the lowest risk tolerance might go so far as to individually authorize any network connection, implement private virtual LANs to isolate endpoints from each other, and even use host-based firewalls set up to deny all connections except for those it explicitly allows. The level of oversight needed for this approach could be too significant for most enterprises, so admins might want to look at automated systems that rely on AI or machine learning to properly authorize the necessary connections.
Other tactics include funneling endpoint web traffic through a proxy that requires end users to manually authenticate and authorize connections, but this approach could enable users to unintentionally authorize malicious network connections. Proxy servers can be easier to monitor for anomalous network connections, and they can investigate to determine the source of those network connections.
Identifying anomalous network connections is key to identifying command-and-control servers, as few of them mimic human behavior — at least, for now. To that end, enterprises should keep a close eye on cloud services and collaboration services, such as Slack, Box, Dropbox and Salesforce, to determine an appropriate plan to respond if attackers abuse the cloud to create a C&C.
Home users aren’t immune. Endpoint security tools — whether they’re built in by the enterprise, included in consumer-grade home networking devices or provided by the internet service provider (ISP) — must include the ability to block potential C&C connections.
ISPs may be reluctant to block traffic connecting to a known C&C because of customer complaints, but automated triage systems could be used to reduce that burden. ISPs must also implement secure baselines to ensure its consumer devices are free from potential C&C connections.
With any luck, AI will become part of enterprise defenses to combat attackers attempting to orchestrate malicious operations. In the meantime, companies need to keep a close eye on their security platforms, continually updating them in the face of evolving threats and botnets.
It’s unlikely malware will ever go away. Maintaining a consistent security strategy and continually analyzing how attackers are transforming their techniques can help enterprises understand where they need to deploy their defenses — and when.