C2:

source:
https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-
that-govern-malware

1. Phase
- Because many companies still allow unfiltered access over known ports used for HTTP, HTTPS,
FTP and Secure Shell (SSH), malware operators have adjusted their methods to tunnel their
communications over these ports.
- When the attackers receive the beacon, they can then change or otherwise manipulate the
instructions for the malware. To keep the initial malware small, many malware payloads perform
the beacon upon initial execution and wait for the response before completing any other operations.
- The attackers will attempt to move laterally within a target network to infect additional hosts to
ensure that if o ne system is identified as infected, they can still maintain access.
- Remote access Trojans, such as ShadyRAT, IOC and others are examples of remote administrative
toolkits used for interactive command and control. Not all malware packages are as full-featured as
RATs.
2. Shadow network
- While command-and-control is the sixth phase out of the seven identified in the Cyber Kill Chain
- The five phases before it in the Cyber Kill Chain (Figure 2) are preparatory steps to the delivery of
the command-and-control malware.
- Command-and-control operators often route their communications through multiple hosts and use
dynamic DNS registrations to further hide their actions -- and keep their systems highly available.
- Several indicators can be identified through analysis of potential malware in a sandbox or live
environment. The analysis can be performed using freely available tools, such as Cuckoo Sandbox,
or by capturing the traffic from the infected system using TCPDump or Wireshark.
- A lot of command-and-control programs communicate using direct-to-IP-address HTTP requests.
Direct-to-IP requests use a website's IP address, rather than DNS, to resolve a name to an IP
address. Most users and applications do not use the IP addresses of Internet sites -- it's easier to use
host names or URLs that will allow the IP address to be changed as needed.

3. Communication techniques
- One popular command-and-control communications technique is to use publicly available DNS
servers rather than the systems inside a private network. The use of dynamic DNS is the most
stealthy and difficult to catch without other IOCs.
- Identification of a malicious program involves system- and network-level analysis to determine
how the malware communicates and which program on the system is generating the suspicious
traffic.
- Isolating a "suspect" computer to capture and analyze its network behavior, and correlating that
information with logs from DNS and proxy systems, can be extremely useful.
- evaluated and terminated to begin isolating system processes and the communication that is
generated. For instance, connection attempts to external DNS servers or over nonstandard ports
through a firewall signal suspicious traffic that might indicate an infection
- Cutting off these communications is the first step to remediate an infection from a command-and-
control network. Each infected system needs to be cleaned and updated to prevent future infections.

4. Plan and action

- Security teams can effectively stop a malware intrusion if they focus on disrupting
communications with command-and-control nodes.
- signature-based tools, such as antivirus and malware detection, are not effective half the time.
- focus on stopping malware from communicating with the command-and-control server, effectively
breaking the kill chain.
- all enterprises should adhere to basic security practices:
+ First, configure strong egress firewall rules that limit everything but Web traffic outside of the
enterprise. This will stop automated beaconing over nonstandard ports and protocols, such as
dynamic DNS. Modern malware uses Web ports to communicate back to command-and-control
locations.
+ Web traffic should be proxied with only traffic to categorized websites allowed, and access to
unknown sites blocked. The proxy should stop self-signed SSL certificate traffic. This should
disrupt Tor and other encrypted communications channels. Required business tools such as FTP,
telnet or SSH should be moved to the network edge as DMZ-type services.
+ The enterprise needs to be able to trigger alerts on suspicious traffic or IOCs. This can be done by
establishing alerts in a security information and event management platform or, depending on the
technology, Many of the bad guys work in vastly different time zones, so develop a 24x7x365
response plan for systems and network administrators during off hours. Attackers also target
organizations on holidays and weekends.

Acronyms:
RAT: remote administration toolkit
C2 = C&C = Command-and-control
IOC: indicator of compromise