APT Detection Indicators – Part 3

APT Detection Indicators – Part 3: Command & Control Channels

APT Detection Indicators – Part 1
APT Detection Indicators – Part 2

When securing a network most organizations are more concerned with controlling inbound traffic than outbound traffic. However, outbound traffic is a significant risk that is used by malware and targeted attackers as channels for Command and Control (C&C) as well as Data Exfiltration.

APT Detection Indicators - Part 3

Understanding C&C and C&C channels is critical to effectively detect, contain, analyze, and remediate targeted malware incidents. Malware allows attackers to remotely control computers via C&C channels using infected computers. These activities pose a threat to organizations and can be mitigated by detecting and disrupting C&C channels on the network.

This APT Detection Indicators – Part 3 blog describes, as follows:

  • Risks associated with Outbound Traffic
  • Typical Command and Control Channels
  • Techniques used to circumvent controls
  • Methods for detecting and preventing evasion techniques

There is no way to eliminate all risk associated with outbound traffic short of closing all ports since attackers are very creative in hiding their activities testing for available protocols to tunnel and leveraging various obfuscation techniques. However a good understanding of the techniques and risks should enable organizations to detect abnormalities (also see: APT Anomaly Detection) and make informed decisions on improving and fine tuning egress policy.

It is vital to practice heightened operational awareness around critical data and assets. Organizations should segment and wrap critical data within the deeper protection of well monitored infrastructure (also see Adaptive Zone Defense). In addition, layered defensive tactics (multiple layers and means of defense) can prevent security breaches and, buy an organization time to detect and respond to an attack, reducing the consequences of a breach.

A Recap on Malware

Malicious software, also known as malware, has existed for almost as long as computers have been around. A lot of effort has been put into stopping malware over the years but malware still remains a growing pandemic. Everyday, a huge amount of malware is released.

Botnet Army

Command and Control Channel Establishment

Botnets

Botnets consist of computers infected with malware which are called bots. These bots connect to a C&C infrastructure to form a bot network or botnet. The C&C infrastructure allows the attacker to control the bots connected to it. Bots can be instructed to steal user data, (financial) credentials or credit card details from the infected computers. A large group of bots can be used to perform a Distributed Denial of Service (DDoS) attack and bring down a server. Criminals also sell bot access to other criminals.

Targeted Attacks

In the case of a targeted attack the attacker wants to infect a specific organization. This is quite different from the regular botnets described above, where the criminal is not interested in which machines they infect. The goal of a targeted attack can be to steal certain data from the target or sabotage target systems.

This is achieved by infecting one or just a few computers with malware which contacts a C&C server. The C&C server allows the attacker to remotely control the infected computers. The control functionality can be used to infect other computers or search for documents the attacker is interested in. After the data of interest has been found the attacker gives instructions to exfiltrate the data. The exfiltration usually happens via a channel separate from the C&C channel.

Detecting targeted attacks is much harder than detecting untargeted attacks. The malware is only sent to a few targets, making anti-virus detection unlikely, as antivirus vendors are unlikely to obtain a sample of the malware. Detecting the C&C traffic also becomes harder as Intrusion Detection System (IDS) signatures for malware are unlikely to be available and the C&C infrastructure is less likely to appear on any blacklists.

Simple malware may be caught by sandboxes, they are useful pieces in Solving the APT Defense Puzzle. But in the case of targeted attacks the malware authors test their attacks before releasing them. Thus, it becomes more difficult to detect, classify, and attribute APT threats via sandbox-based methods. Thus, detection of targeted attacks relies heavily on heuristics or human inspection as the last line of defense.

Malware C&C Network Protocol Usage

Command and Control channels can vary widely in their complexity. The control infrastructure can range from simple HTTP requests to a malicious domain to more complicated approaches involving the use of resilient peer-to-peer technologies that lack a centralized server and are consequently harder to analyze. A small group of malware uses TLS to encrypt (some of) their communication. It is interesting to note is that almost all of the TLS traffic is described as HTTPS traffic. Furthermore, most of the known samples fail to complete the TLS handshake. This may indicate that the malware does not actually implement TLS, but merely communicates on a port which is normally used for TLS connections which is very typical.

APT CandC Example

Advanced Threat Actor using C&C Channel Example

C&C Channel Detection Techniques

The following are some examples of C&C channels and the techniques used to detect them. We will explore this topic in greater detail in future blogs together with the use of open-source tools.

Blacklisting

A simple technique to limit access to C&C infrastructure is to block access to IP addresses and domains which are known to be used by C&C servers.

Signature based

A popular technique for detecting unwanted network traffic is to use a signature based Intrusion Detection System (IDS). The advantage of signature based detection is that known bot traffic can be easily detected if malware researchers have created a signature. The disadvantage is that bots are often obfuscating or encrypting their traffic which makes it much harder or even impossible to write a signature.

DNS protocol based

Malware needs to know the IP address of the C&C infrastructure to communicate. This address can be hard-coded or it can be retrieved from a  domain name. Using a domain name provides more flexibility as it allows the attacker to change the IP address easily. The infected computer doesn’t even need to have outbound connectivity. As long as it can resolve the host name through a local DNS server that performs recursive lookups on the Internet. DNS has been involved in two recent large-scale breaches that resulted in the compromise of millions of accounts.

Network administrators should look for, as follows:

  • DNS responses which have a low to very low TTL (time to live) value, which is somewhat unusual
  • DNS responses which contain a domain that belonged to one of a long list of dynamic DNS providers
  • DNS queries which were issued more frequently by the client than would be expected given the TTL for that hostname
  • DNS requests for a hostname outside of the local namespace which were responded to with a resource record pointing to an IP address within either 127.0.0.0/8, 0.0.0.0/32, RFC1918 IP space, or anywhere inside the public or private IP space of the organization
  • Consecutive DNS responses for a single unique hostname which contained only a single resource record, but which changed more than twice every 24 hours.

Maintaining a DNS server and C&C server at a fixed address increases the chance that it will be taken down. Therefore, attackers have started using fast-flux domains. These are domains for which the owner rapidly changes the IP address to which a domain points and, optionally, the IP address of the DNS server as well.

IRC protocol based

First generation botnets used Internet Relay Chat (IRC) as a channel to establish a central command and control mechanism. They connect to the IRC servers and channels that have been selected by the attacker and waits for commands. Although the IRC botnets are easy to use, control and manage, they suffer from a central point of failure.

Peer to peer protocol based

To overcome the IRC issue, peer to peer architecture is used in the second generation of botnets where instead of having a central C&C server, the attacker sends a command to one or more bots, and they deliver it to their neighbors. Increasingly the peer to peer (P2P) protocol is being used for C&C channels.

Examples include Zeus v3, TDL v4 (Alureon), and ZeroAccess. A roughly 10x increase in the number of malware samples has been observed using P2P in the past 12 months.

P2P C&C channels are often easily identified by DNS, reverse DNS or passive DNS as they generally do not try to hide – unless they are malicious. Typically all members of a malware P2P swarm have been compromised with the same malware. Detect one and you will quickly identify hundreds of compromised assets.

HTTP protocol based

The second generation implementation leveraging a P2P botnet is difficult and complex. Therefore, attackers have begun to use the centralized C&C model once again, using the HTTP protocol to publish the commands on certain web servers.

The vast majority of malware examined is using HTTP as the C&C protocol. According to Mandiant 83% of all backdoors used by APT attackers are outgoing sessions to TCP port 80 or 443. However, only a few samples use TLS to communicate with the C&C server. All of the TLS malware allows connections to servers with invalid certificates. If the servers indeed use invalid certificates this property could be used to detect these use cases. Similarly, the double connection attempt in the case of an invalid certificate might trigger detection.

The majority of the examined malware uses HTTP based C&C channels. The HTTP requests generated by these malware samples are usually GET  requests with a spoofed User-Agent. Where the majority of malware spoofs the User-Agent of the installed Internet Explorer version. Thus, detecting spoofed User-Agents might provide a method for C&C channel detection.

Here are some indicators that can be used to detect C&C channel sessions simply by passively looking at network traffic:

  • The certificate isn’t signed by a trusted CA
  • The domain names are random (i.e. don’t really exist)
  • Validity period is stated to be exactly one month

Temporal based

A bot regularly has to send traffic to the C&C server in order to able to receive new commands. Such traffic is sent automatically and is usually sent on a regular schedule. The behavior of user-generated traffic is much less regular, thus bots may be detected by measuring this regularity

Anomaly detection

Anomaly detection is based on the assumption that it is possible to build a model of legitimate traffic content. Anomaly detection of network traffic can be a very powerful tool in detecting command & control channels. Unfortunately, to be most effective the baselining (defining what is “good” about the network) should take place before the first compromise. However, some forms of anomaly detection still add tremendous value:

  • Develop a quick set of signatures to ensure that each TCP session on port 80 and 443 consists of valid HTTP or SSL traffic, respectively. Use a tool such as FlowGrep, or review proxy logs for failures. This would be a useful exercise in general for all traffic that is not relayed through an application proxy, and is not blocked from direct access to internet resources.
  • Persistent connections to HTTP servers on the internet, even outside regular office hours should be exceptions not the rule, so valid exceptions can be filtered out, making this a potent mechanism to identify compromises. Is the attacker operating from the same time zone as your organization?
  • Persistent requests for the same file on a remote web server, but using a different parameter can indicate data smuggling over HTTP.

Correlation based

One method to reduce the number of false positives for bot detection is to require several correlated events before raising an alert. This allows the  system to use events which by themselves have a high false positive rate. However, by requiring multiple events the system is able to filter out most false positives. The events may be correlated for a single host or for a group of hosts.

The advantage of using correlations to detects bots is that there are fewer false positives compared to using just the individual events. At the same time, this can be a disadvantage because stealthy bots, which generate just one or two events, may not be detected.

CC Channel Detection

C&C Channel Detection Techniques

Social Networks

In order to defeat social network-based botnets, organizations must think ahead of the attackers. Regardless of the channel, provider, or account, social network messages are in text. Thus, if malware wants to use social networks for their C&C, they would encode their commands textually. Just like legitimate messages may include web links, so might C&C messages (e.g., links for downloading payload).

Web-based Attack/Detection Characteristics

By using an HTTP connection as a communication channel, a web-based malware attack can avoid detection by a firewall and increase the threat of the attack. One of the attack characteristics is its small traffic signature, which also fits perfectly well within the normal traffic flow. Since most firewalls do not filter HTTP traffic, it is therefore not easy to detect any abnormal behavior.

In addition, the fast-flux domain technique allows a fully qualified domain name (FQDN) that points to multiple IP addresses. These IP addresses can be scattered all over the world, making a malicious domain difficult to be tracked and analyzed. Attackers can make a fast-flux domain constantly associate with various IP addresses.

However, a fast-flux domain requiring numerous IPs is a useful characteristic. Detection of fast-flux domain techniques together with the use of connection regularity can be used as the basis for web-based detection. In addition to enhancing the accuracy of detection, it can be used also detect different types of botnet/malware.

Conclusion

By using the results of malware analysis to hone C&C channel detection capabilities, an organization can begin remediating a malware incident. Any identified C&C channels serve as helpful indicators of compromise (IOCs) that can be used to detect other instances of the same or similar malware. IOCs related to C&C include domain names, IP addresses, protocols, and even patterns of bytes seen in network communications, which could represent commands or encoded data. Matt Jonkman’s team regularly publishes updated signatures for known Command and Control channels. If setting up such a system sounds like a bit of work, have a look at BotHunter.

CnC Detection IndicatorsComing Soon

In APT Detection Indicators – Part 4 we will add details to this introduction to C&C Channel detection techniques as well as integrate with the prior introductory APT Detection Indicators – Part 2 discussion of free and open source tools (FOSS) with some hands-on examples developing and using Indicators of Compromise. While the likes of Security Onion, as good as it is, doesn’t provide the same level of functionality one might expect from a commercial product, it still offers certain custom features inherent to those products.

Many commercial vendors are now supplementing detection and alerting with visualization techniques. More and more FOSS tools have been meeting the needs of security visualization practitioners for years. Security Onion includes Squert which in turn makes use of AfterGlow and the graphviz libraries to provide on demand visualizations of captured traffic. Making use of the premise of an attacker scanning from a beachhead host (laterally pivoting), related scanning traffic from the pivot host then presents itself in a tidy visualization.

Thanks for your interest!

Nige the Security Guy.

Advertisements

About secureadvisor
Security Guy

One Response to APT Detection Indicators – Part 3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: