Most malware these days has some level of Command and Control. This can be to exfiltrate data, tell the malware what instructions to execute next, or download encryption keys in the case of ransomware.
In each case of command and control, the attacker is accessing the network from a remote location. Having insight into what is happening on the network is going to be crucial in addressing these techniques.
In many cases, having a properly configured firewall to limit what data can leave endpoints, as well as the network, will help. While some malware families will try and hide traffic on unusually high network ports, others will also use ports like 80 and 443 to try and blend into the noise of the network.
In this case, you’ll want to use a perimeter firewall that brings in threat intelligence data to identify malicious URLs and IP addresses. This won’t stop all attacks but it can help filter out some commodity malware.
If the perimeter firewall cannot consume threat intelligence, then the firewall and/or perimeter logs should be sent to a centralized logging server that can consume that level of data for further analysis. Tools like Splunk or the ELK stack are a great resource for identifying malicious command and control traffic.
Running network traffic through Bro IDS is another option in trying to find anomalous network behavior, again sending the logs into Splunk or ELK for further analysis.
Proper network segmentation is also going to help in this case. I like to provide the example of credit card scraping malware and how network segmentation can help.
Point-of-sale (POS) machines have predictable configurations and will only talk to predictable locations on the local network, as well as the Internet, if necessary. Should a piece of malware end up on a point of sale machine, the malware can scrape the memory all it wants.
If the network is properly segmented, the scraped credit card data will not be allowed anywhere of value to the attacker.
Properly mitigating these techniques is going to rely on proper network architecture, as well as following basic and foundational controls. Since this is usually the last stage of an attack, ideally there are other mechanisms in place to mitigate or detect the attack in place.
However, don’t let that stop you from spending time working on addressing any gaps in the command and control coverage.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control