Attackers typically need a network to remotely control a target through a Command and Control (C&C or C2) channel. However, some malware comes pre-programmed with payloads that do not require C2 and can compromise even air-gapped networks. Detecting compromises often involves identifying the C2 channel, which can utilize various methods, such as:
The creativity of attackers defines the limits of Command and Control (C2) channels. To counter these clever methods, we often rely on detecting statistical anomalies and discrepancies in network behavior. Network monitoring tools can identify:
Defenders can find these anomalies and correlate them with data from the source system. For effective network monitoring, context should be applied to differentiate between noise and signal. For instance, an attack targeting a Windows service from an Internet source trying to exploit a Linux vulnerability might usually be dismissed. However, if the source IP belongs to a trusted internal network or provider, it warrants further investigation, as we don’t want trusted systems engaging in attacks.