Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

Network Monitoring

Attackers typically need a network to remotely control a target through a Command and Control (C&C or C2) channel. However, some malware comes pre-programmed with payloads that do not require C2 and can compromise even air-gapped networks. Detecting compromises often involves identifying the C2 channel, which can utilize various methods, such as:

  • Communicating over HTTPS to disguise as normal web traffic
  • Using social networks to automatically post and read messages
  • Employing platforms like Google Docs for adding and editing commands to victims

img_networkmonitoring-beacon

The creativity of attackers defines the limits of Command and Control (C2) channels. To counter these clever methods, we often rely on detecting statistical anomalies and discrepancies in network behavior. Network monitoring tools can identify:

  • Long connections that are unusual for certain protocols, like HTTP, which typically doesn’t maintain long connections.
  • Beacons used by C2 to signal that a victim is ready for commands, which, while common in various software, should be monitored for expected patterns.
  • Sudden bursts of data that may indicate large uploads or data exfiltration, prompting analysis of the originating application and user.

Defenders can find these anomalies and correlate them with data from the source system. For effective network monitoring, context should be applied to differentiate between noise and signal. For instance, an attack targeting a Windows service from an Internet source trying to exploit a Linux vulnerability might usually be dismissed. However, if the source IP belongs to a trusted internal network or provider, it warrants further investigation, as we don’t want trusted systems engaging in attacks.