What is MITRE ATT&CK Command & Control (TA0011)?
The world of cybersecurity is vast, and among its many facets is the MITRE ATT&CK framework - a curated knowledge base of tactics and techniques employed by cyber adversaries. One such tactic, often referred to as the 'invisible hand' guiding a cyberattack, is Command & Control (C2).
When cyber attackers compromise a system, they don't just leave it be. They need a way to continuously communicate with that compromised system, instruct it, and retrieve information from it.
Imagine an orchestrator guiding a puppet. The puppet represents the compromised system, while the orchestrator, hidden in the shadows, represents the attacker. The strings connecting the puppet to the orchestrator symbolize the Command & Control channel.
Common Techniques Within Command & Control
- Application Layer Protocol: Here, attackers use standard application protocols to disguise the C2 traffic. Common mediums include HTTP, HTTPS, or SMTP.
- Web Service: Attackers might utilize web services like Twitter, Dropbox, or GitHub to facilitate C2, hiding their tracks among the legitimate traffic.
- Non-Application Layer Protocol: Rather than the application layer, adversaries might use other protocol layers to communicate, such as ICMP.
- Multiband Communication: Using multiple protocols or channels simultaneously for C2 to complicate detection efforts.
- Domain Fronting: This technique sees malicious actors routing their C2 traffic through trusted domains, thus bypassing network-based detections.
- Encrypted Channels: Using encryption, attackers can ensure their C2 communication remains concealed and undeciphered.
Mitigating Command & Control Techniques
- Network Segmentation: Restricting lateral movement within networks can limit the attacker's access to resources.
- Anomaly Detection: Employing tools that spot unusual patterns in traffic can uncover hidden C2 activities. For instance, a sudden spike in data transfers to a rarely contacted IP could be suspicious.
- Multi-factor Authentication (MFA): Requiring multiple forms of authentication can reduce the risk of unauthorized access.
- Endpoint Detection and Response (EDR): Solutions like EDR can actively monitor endpoint activities, providing real-time threat detection and incident response.
- Regular Patching: Keeping all software and systems updated can seal potential vulnerabilities exploited by attackers for C2.
- Application Whitelisting: By permitting only known and trusted applications to run, organizations can block unauthorized apps that might facilitate C2.
- TLS Inspection: Although it's a bit controversial due to privacy concerns, decrypting and inspecting TLS traffic at network boundaries can help detect malicious C2 communication.
How NETSCOUT Helps
Malware can utilize uncommon query types for Command & Control activities, and Omnis Cyber Intelligence (OCI) can detect these abnormalities. OCI can also detect excessive NXDOMAIN responses generated by the malware algorithmically creating connections to its C2 server. This is often done via DNS requests that can bypass firewalls, necessitating an extra layer of protection in order to identify them in real time. If the DNS server is being hijacked, it often creates connections to unknown DNS servers. OCI can detect these new connections and help enterprises stop the adversaries’ DNS hijacking attempts in their tracks.