APT Detection Indicators – Part 3

APT Detection Indicators – Part 3: Command & Control Channels

APT Detection Indicators – Part 1
APT Detection Indicators – Part 2

When securing a network most organizations are more concerned with controlling inbound traffic than outbound traffic. However, outbound traffic is a significant risk that is used by malware and targeted attackers as channels for Command and Control (C&C) as well as Data Exfiltration.

APT Detection Indicators - Part 3

Understanding C&C and C&C channels is critical to effectively detect, contain, analyze, and remediate targeted malware incidents. Malware allows attackers to remotely control computers via C&C channels using infected computers. These activities pose a threat to organizations and can be mitigated by detecting and disrupting C&C channels on the network.

This APT Detection Indicators – Part 3 blog describes, as follows:

  • Risks associated with Outbound Traffic
  • Typical Command and Control Channels
  • Techniques used to circumvent controls
  • Methods for detecting and preventing evasion techniques

There is no way to eliminate all risk associated with outbound traffic short of closing all ports since attackers are very creative in hiding their activities testing for available protocols to tunnel and leveraging various obfuscation techniques. However a good understanding of the techniques and risks should enable organizations to detect abnormalities (also see: APT Anomaly Detection) and make informed decisions on improving and fine tuning egress policy.

It is vital to practice heightened operational awareness around critical data and assets. Organizations should segment and wrap critical data within the deeper protection of well monitored infrastructure (also see Adaptive Zone Defense). In addition, layered defensive tactics (multiple layers and means of defense) can prevent security breaches and, buy an organization time to detect and respond to an attack, reducing the consequences of a breach.

A Recap on Malware

Malicious software, also known as malware, has existed for almost as long as computers have been around. A lot of effort has been put into stopping malware over the years but malware still remains a growing pandemic. Everyday, a huge amount of malware is released.

Botnet Army

Command and Control Channel Establishment


Botnets consist of computers infected with malware which are called bots. These bots connect to a C&C infrastructure to form a bot network or botnet. The C&C infrastructure allows the attacker to control the bots connected to it. Bots can be instructed to steal user data, (financial) credentials or credit card details from the infected computers. A large group of bots can be used to perform a Distributed Denial of Service (DDoS) attack and bring down a server. Criminals also sell bot access to other criminals.

Targeted Attacks

In the case of a targeted attack the attacker wants to infect a specific organization. This is quite different from the regular botnets described above, where the criminal is not interested in which machines they infect. The goal of a targeted attack can be to steal certain data from the target or sabotage target systems.

This is achieved by infecting one or just a few computers with malware which contacts a C&C server. The C&C server allows the attacker to remotely control the infected computers. The control functionality can be used to infect other computers or search for documents the attacker is interested in. After the data of interest has been found the attacker gives instructions to exfiltrate the data. The exfiltration usually happens via a channel separate from the C&C channel.

Detecting targeted attacks is much harder than detecting untargeted attacks. The malware is only sent to a few targets, making anti-virus detection unlikely, as antivirus vendors are unlikely to obtain a sample of the malware. Detecting the C&C traffic also becomes harder as Intrusion Detection System (IDS) signatures for malware are unlikely to be available and the C&C infrastructure is less likely to appear on any blacklists.

Simple malware may be caught by sandboxes, they are useful pieces in Solving the APT Defense Puzzle. But in the case of targeted attacks the malware authors test their attacks before releasing them. Thus, it becomes more difficult to detect, classify, and attribute APT threats via sandbox-based methods. Thus, detection of targeted attacks relies heavily on heuristics or human inspection as the last line of defense.

Malware C&C Network Protocol Usage

Command and Control channels can vary widely in their complexity. The control infrastructure can range from simple HTTP requests to a malicious domain to more complicated approaches involving the use of resilient peer-to-peer technologies that lack a centralized server and are consequently harder to analyze. A small group of malware uses TLS to encrypt (some of) their communication. It is interesting to note is that almost all of the TLS traffic is described as HTTPS traffic. Furthermore, most of the known samples fail to complete the TLS handshake. This may indicate that the malware does not actually implement TLS, but merely communicates on a port which is normally used for TLS connections which is very typical.

APT CandC Example

Advanced Threat Actor using C&C Channel Example

C&C Channel Detection Techniques

The following are some examples of C&C channels and the techniques used to detect them. We will explore this topic in greater detail in future blogs together with the use of open-source tools.


A simple technique to limit access to C&C infrastructure is to block access to IP addresses and domains which are known to be used by C&C servers.

Signature based

A popular technique for detecting unwanted network traffic is to use a signature based Intrusion Detection System (IDS). The advantage of signature based detection is that known bot traffic can be easily detected if malware researchers have created a signature. The disadvantage is that bots are often obfuscating or encrypting their traffic which makes it much harder or even impossible to write a signature.

DNS protocol based

Malware needs to know the IP address of the C&C infrastructure to communicate. This address can be hard-coded or it can be retrieved from a  domain name. Using a domain name provides more flexibility as it allows the attacker to change the IP address easily. The infected computer doesn’t even need to have outbound connectivity. As long as it can resolve the host name through a local DNS server that performs recursive lookups on the Internet. DNS has been involved in two recent large-scale breaches that resulted in the compromise of millions of accounts.

Network administrators should look for, as follows:

  • DNS responses which have a low to very low TTL (time to live) value, which is somewhat unusual
  • DNS responses which contain a domain that belonged to one of a long list of dynamic DNS providers
  • DNS queries which were issued more frequently by the client than would be expected given the TTL for that hostname
  • DNS requests for a hostname outside of the local namespace which were responded to with a resource record pointing to an IP address within either,, RFC1918 IP space, or anywhere inside the public or private IP space of the organization
  • Consecutive DNS responses for a single unique hostname which contained only a single resource record, but which changed more than twice every 24 hours.

Maintaining a DNS server and C&C server at a fixed address increases the chance that it will be taken down. Therefore, attackers have started using fast-flux domains. These are domains for which the owner rapidly changes the IP address to which a domain points and, optionally, the IP address of the DNS server as well.

IRC protocol based

First generation botnets used Internet Relay Chat (IRC) as a channel to establish a central command and control mechanism. They connect to the IRC servers and channels that have been selected by the attacker and waits for commands. Although the IRC botnets are easy to use, control and manage, they suffer from a central point of failure.

Peer to peer protocol based

To overcome the IRC issue, peer to peer architecture is used in the second generation of botnets where instead of having a central C&C server, the attacker sends a command to one or more bots, and they deliver it to their neighbors. Increasingly the peer to peer (P2P) protocol is being used for C&C channels.

Examples include Zeus v3, TDL v4 (Alureon), and ZeroAccess. A roughly 10x increase in the number of malware samples has been observed using P2P in the past 12 months.

P2P C&C channels are often easily identified by DNS, reverse DNS or passive DNS as they generally do not try to hide – unless they are malicious. Typically all members of a malware P2P swarm have been compromised with the same malware. Detect one and you will quickly identify hundreds of compromised assets.

HTTP protocol based

The second generation implementation leveraging a P2P botnet is difficult and complex. Therefore, attackers have begun to use the centralized C&C model once again, using the HTTP protocol to publish the commands on certain web servers.

The vast majority of malware examined is using HTTP as the C&C protocol. According to Mandiant 83% of all backdoors used by APT attackers are outgoing sessions to TCP port 80 or 443. However, only a few samples use TLS to communicate with the C&C server. All of the TLS malware allows connections to servers with invalid certificates. If the servers indeed use invalid certificates this property could be used to detect these use cases. Similarly, the double connection attempt in the case of an invalid certificate might trigger detection.

The majority of the examined malware uses HTTP based C&C channels. The HTTP requests generated by these malware samples are usually GET  requests with a spoofed User-Agent. Where the majority of malware spoofs the User-Agent of the installed Internet Explorer version. Thus, detecting spoofed User-Agents might provide a method for C&C channel detection.

Here are some indicators that can be used to detect C&C channel sessions simply by passively looking at network traffic:

  • The certificate isn’t signed by a trusted CA
  • The domain names are random (i.e. don’t really exist)
  • Validity period is stated to be exactly one month

Temporal based

A bot regularly has to send traffic to the C&C server in order to able to receive new commands. Such traffic is sent automatically and is usually sent on a regular schedule. The behavior of user-generated traffic is much less regular, thus bots may be detected by measuring this regularity

Anomaly detection

Anomaly detection is based on the assumption that it is possible to build a model of legitimate traffic content. Anomaly detection of network traffic can be a very powerful tool in detecting command & control channels. Unfortunately, to be most effective the baselining (defining what is “good” about the network) should take place before the first compromise. However, some forms of anomaly detection still add tremendous value:

  • Develop a quick set of signatures to ensure that each TCP session on port 80 and 443 consists of valid HTTP or SSL traffic, respectively. Use a tool such as FlowGrep, or review proxy logs for failures. This would be a useful exercise in general for all traffic that is not relayed through an application proxy, and is not blocked from direct access to internet resources.
  • Persistent connections to HTTP servers on the internet, even outside regular office hours should be exceptions not the rule, so valid exceptions can be filtered out, making this a potent mechanism to identify compromises. Is the attacker operating from the same time zone as your organization?
  • Persistent requests for the same file on a remote web server, but using a different parameter can indicate data smuggling over HTTP.

Correlation based

One method to reduce the number of false positives for bot detection is to require several correlated events before raising an alert. This allows the  system to use events which by themselves have a high false positive rate. However, by requiring multiple events the system is able to filter out most false positives. The events may be correlated for a single host or for a group of hosts.

The advantage of using correlations to detects bots is that there are fewer false positives compared to using just the individual events. At the same time, this can be a disadvantage because stealthy bots, which generate just one or two events, may not be detected.

CC Channel Detection

C&C Channel Detection Techniques

Social Networks

In order to defeat social network-based botnets, organizations must think ahead of the attackers. Regardless of the channel, provider, or account, social network messages are in text. Thus, if malware wants to use social networks for their C&C, they would encode their commands textually. Just like legitimate messages may include web links, so might C&C messages (e.g., links for downloading payload).

Web-based Attack/Detection Characteristics

By using an HTTP connection as a communication channel, a web-based malware attack can avoid detection by a firewall and increase the threat of the attack. One of the attack characteristics is its small traffic signature, which also fits perfectly well within the normal traffic flow. Since most firewalls do not filter HTTP traffic, it is therefore not easy to detect any abnormal behavior.

In addition, the fast-flux domain technique allows a fully qualified domain name (FQDN) that points to multiple IP addresses. These IP addresses can be scattered all over the world, making a malicious domain difficult to be tracked and analyzed. Attackers can make a fast-flux domain constantly associate with various IP addresses.

However, a fast-flux domain requiring numerous IPs is a useful characteristic. Detection of fast-flux domain techniques together with the use of connection regularity can be used as the basis for web-based detection. In addition to enhancing the accuracy of detection, it can be used also detect different types of botnet/malware.


By using the results of malware analysis to hone C&C channel detection capabilities, an organization can begin remediating a malware incident. Any identified C&C channels serve as helpful indicators of compromise (IOCs) that can be used to detect other instances of the same or similar malware. IOCs related to C&C include domain names, IP addresses, protocols, and even patterns of bytes seen in network communications, which could represent commands or encoded data. Matt Jonkman’s team regularly publishes updated signatures for known Command and Control channels. If setting up such a system sounds like a bit of work, have a look at BotHunter.

CnC Detection IndicatorsComing Soon

In APT Detection Indicators – Part 4 we will add details to this introduction to C&C Channel detection techniques as well as integrate with the prior introductory APT Detection Indicators – Part 2 discussion of free and open source tools (FOSS) with some hands-on examples developing and using Indicators of Compromise. While the likes of Security Onion, as good as it is, doesn’t provide the same level of functionality one might expect from a commercial product, it still offers certain custom features inherent to those products.

Many commercial vendors are now supplementing detection and alerting with visualization techniques. More and more FOSS tools have been meeting the needs of security visualization practitioners for years. Security Onion includes Squert which in turn makes use of AfterGlow and the graphviz libraries to provide on demand visualizations of captured traffic. Making use of the premise of an attacker scanning from a beachhead host (laterally pivoting), related scanning traffic from the pivot host then presents itself in a tidy visualization.

Thanks for your interest!

Nige the Security Guy.

APT Detection Framework – Part 2

APT Detection Framework – Part 2

APT Detection Framework – Part 1
APT Detection Indicators – Part 1
Adaptive Zone Defense – Part 1
Defensible Security Posture

There is a trend underway in the information security field to shift from a prevention mentality — in which organizations try to make the perimeter impenetrable and avoid breaches — to a focus on rapid detection, where they can quickly identify, contain and mitigate threats.

APT Detection Framework Logo 2

In order to begin to understand and to be able to rapidly defend against targeted attacks a detection matrix is needed for visibility, analysis and, to ensure that all threat scenarios are considered with no gaps in defense. This framework can be used as a tool to relate attack characteristics with analysis methods and business criteria. APT Detection Framework – Part 2 continues our discussion of a proposed matrix with more detailed description and use case examples.

Detection Cost versus Precision

APTs are a complex attack scenario in which different low-level attack methods are used in a multistep approach to achieve a predetermined goal. They are executed with more stealth than normal attacks. The framework presented in this blog can help analyze APT threat scenarios with the purpose of creating a means of detection of APTs and identifying any gaps in detection or response.

Like prevention and defense-in-depth there is an associated Detection Cost versus Precision equation that also needs to consider capability maturity in terms of resources/skills as well as technology – as to whether this is a core competency that needs to be built, to partner to gain the skills and experience or, to outsource.

Detection Precision versus Cost

Detection Framework Sample

The following APT Detection Framework – General Description graphic presents a simplified example, providing general descriptions of the content that the security operations analyst uses to begin to populate the matrix for various use cases.

Sample Detection Framework

APT Detection Framework - General Descriptions

Attack Scenario Use Case

A foreign company is interested in a product and the intellectual property of a competitor. They would like to know detailed technical and production information as well as financial information about the production costs of the product. They anonymously contract with a hacker team to gain access to the competitor’s network in order to obtain the desired information. The competitor must remain unaware of the network breach to avoid an investigation and possible lawsuits.

Advanced Persistent Attack Example

Advanced Persistent Attack Example

Detection of APTs is harder because of the stealthy effort of the attacker to remain undetected but not impossible because there is traffic generated and malware or a Trojan is active on workstations and or servers. It is possible to find traces of attacks which can be put together as an Indicator of Compromise to see if there is an ongoing APT present. For more information see APT Detection Indicators – Part 1

Common Firewalls, HIDS and NIDS systems have a harder time finding an APT because they look mostly to discrete and known attack signatures and do not take the structure of APTs into account. They do not connect different and subtle low level events to each other to form an attack scenario. An approach that does correlate low-level attack elements can detect such attacks.

Network traffic can be used to detect the different steps of APTs. The eight steps each have a different traffic pattern in a network. An example of these patterns is given in the basic network diagram above.

Step 1: Reconnaissance

The first step of the attackers is reconnaissance of the target company. They start by browsing corporate websites for names and mail addresses, check DNS registrations to find public accessible services and check search engines for social media profiles of people claiming to work at the target company. The main goal is to find handles for social engineering approaches and to find version information on servers and website content management systems, to find exploitable vulnerabilities.

Step 2: Gaining Access

After the first step the attackers proceed to use the profile information of employees to construct phishing emails which look legitimate. These emails contain a link to an infected website which uses a zero day exploit to install a malware component on the victims computer. Another approach is to use social media information to create a legitimate looking spreadsheet or PDF as an email attachment about employees benefits or holidays and so on. The possibilities are endless.

Steps 3 & 4: Internal Recon and Expand Access

Once the attackers have gained a foothold in the network through the malware they will try to expand their access to other parts of the network. The malware starts to monitor connections to servers in the network, gather information about installed programs and network users to identify server addresses, network structure and possibilities for expanding access.

Un-patched programs, operating systems, or default configurations create more possibilities for further expansion of the attackers access to network clients and servers. The attackers also perform active reconnaissance on the network themselves by connections performing discovery through the malware clients.

Steps 5 & 6: Gathering and Extracting Data

Un-detected and operating stealthily the attackers are successful and have found the wanted technical documentation and have access to the financial systems of the target. They slowly gather all the information on one of the servers they control and prepare the information for extraction.

Finally they ex-filtrate the information to a legitimate file storage application on the internet to make the extraction look as normal as possible. They also continue snooping around for other data they can sell and extract this as well.

Steps 7 & 8: Command & Control and Erasing Tracks

The attackers have continuously monitored progress through direct access via a backdoor created by the malware and by updates from the malware to servers on the internet. After extraction of the last of the wanted information the attackers start to hide their tracks by uninstalling the malware. Botnet clients are used as proxies to hide the origins of traffic. Logs are erased and housekeeping is performed. A backdoor may be left on Internet-accessible devices for future use which is opened via a command sequence to enable remote access.

Situational Awareness and Managed Connectivity

Typically 20 percent of the connections to a network are unknown, despite the investment in security technology, it is critical to identify all connections within an enterprise. This 80-20 rule requires a solution that defines a network perimeter and validates that unknown connections do not exist. Situational awareness together with knowledge of the structure of high level attack sequences and low level attack elements is crucial for detection.

This knowledge is necessary for the selection of attack features which can be detected, for example in network traffic. The choice of attack features has consequences for the detection framework design and choices of analysis methods and their success in detecting more complex attacks. Approaching the choice of analysis methods from an attack perspective utilizes this knowledge to improve detection and reduce the gaps.

Basic Use Case Example

The following APT Detection Framework – Basic Use Case graphic presents an over-simplified example that applies a mock-up of the use case above.

Basic Detection Framework

APT Detection Framework - Basic Use Case


In our core mission to focus on Detection and Response our next series of blogs will cover Incident Response Maturity. In addition, we will add further details to the APT Detection Framework in Part 3 by integrating more closely with APT Detection Indicators and leveraging Indicators of Compromise (IoCs). We will develop increasingly more practical and useful use cases leveraging tools such as, Splunk, RedLine, Snort, Suricata, Bro, Sguil, Squert, Snorby, and many other useful network security monitoring and analysis tools.


This APT Detection Framework blog is a part of the APT Strategy Series and complements and builds upon the Adaptive Zone Defense and the Defensible Security Posture blogs.

Thanks for your Interest!

Nige the Security Guy.