Link Search Menu Expand Document
Publications
  1. COMMAND AND CONTROL (C2)
    1. RVA Attack Analysis
    2. Impact
    3. Mitigation/Remediation

COMMAND AND CONTROL (C2)

WHAT

An ongoing engagement requires an attacker to maintain a foothold in a target network for an extended period. An attacker will attempt to create an avenue to allow themselves continued access to the environment at any given moment. By establishing a hidden communications channel between their remote servers and compromised systems within the target network, adversaries can conduct internal activity while avoiding detection.

WHY

Some adversaries require a great deal of time with exposure to the victim environment. Depending on the overall intent of a malicious campaign, attacks may span several weeks or months. The time needed to slowly identify and collect sensitive data, or quietly disrupt day-to-day operations, requires undetected access to target systems while operating from remote locations.

HOW

One common method for establishing a command and control tunnel into and out of a compromised network is to send all traffic through a well-known port or protocol. APT39 has used tools that communicate with common protocols—such as HTTP and DNS— that routinely pass back and forth between the internet and internal network segments. Additionally, APT39 has used tools that masquerade as legitimate applications to evade detection of control communication. For example, applications posing as Mozilla Firefox or McAfee components often go undetected.

RVA Attack Analysis

Web Protocols: Most of the successful attempts at establishing communication channels from within the assessed organization’s network utilized ports that are typically associated with standard communication protocols. This use of well-known ports and protocols comprised 42 percent of successful attempts at establishing C2. By using a protocol that is typically allowed through boundary protections, such as HTTP or DNS, the assessment teams can evade common port filtering and potentially avoid detection.

Remote Access Software: The assessment teams used remote tools (15.9 percent of successful attempts) such as the Microsoft Windows Remote Desktop Protocol (RDP) to discretely manage internal activity and to spread their attack footprint to neighboring systems. The use of known remote management tools can allow attackers to avoid perimeter protocol filters.

Impact

The use of undetected control channels to conduct operations remotely, from anywhere in the world, allows adversaries the anonymity and stealth needed to operate on a victim network—uninterrupted— until mission objectives are achieved.

Mitigation/Remediation

  • Prevent applications from storing credential data and change default usernames and passwords where applicable.
  • Periodically review user and application privilege level and search for newly created accounts to identify unauthorized grants of elevated privilege.
  • Configure firewalls with granular ingress and egress rules, which not only prevent remote access applications from communicating outside of the network, but also allow only protocols required by the communicating network segment to exit.
  • Deploy signature-based intrusion detection/prevention (IDS/IPS) systems to identify malicious communications traffic at both the network and host levels.
  • Configure systems to prevent the installation and execution of unauthorized applications.
  • Utilize web proxies to limit use of external web services.
  • Implement Secure Sockets Layer (SSL) decryption for web proxies and ensure all internet traffic flows through this mechanism.
  • Monitor cleartext traffic for unusual activities.

Table of Contents