Understanding How Attacker's Use Command and Control Channels
In any network-based attack, the attacker relies on a command-and-control channel (C2) to carry out their actions. By deploying malicious software on a host machine, they establish a connection with an external server. Surprisingly, it is the instructions received from the external server that dictate the actions taken by the infected host machine, allowing the attacker to progress their attack.
Command-and-control tools, such as Cobalt Strike and Metasploit, are commonly used by attackers. These tools support encryption of the channel and employ techniques like domain fronting and session jitter to evade detection.
Detecting Command and Control Regardless of Encryption
Vectra AI takes a different approach to detecting command-and-control channels. Regardless of encryption or evasion techniques, Vectra's security-led approach ensures detection. Rather than relying on a math-led approach, Vectra's security research team focuses on behavior patterns.
Upon studying the behavior of a command-and-control channel, Vectra's team identified that the clearest indicators lie in the shape of network traffic over time. By analyzing this time-series data, Vectra's data scientists employed deep learning models, specifically LSTM (long short-term memory), which excel at understanding events at different timescales. This allows Vectra to effectively identify the nature of a command and control conversation, regardless of the specific tools used.
What does normal traffic look like?
Consider a representative example of benign traffic from an external system below.
In the above example, we see a host machine sending regular signals to an external server. These signals, known as beacons, are commonly used by various services to keep systems connected and communicate effectively.
However, beacons can also be exploited for malicious purposes. It's important to understand the subtle differences between a legitimate use of beacons, such as in stock tickers or chat apps, and when they are used for malicious command-and-control channels.
What does suspicious traffic look like?
Let's explore a specific case of a malicious encrypted tunnel to better grasp the concept:
Do you observe the distinct patterns in the graph above? These spikes indicate the attacker's commands being sent and the infected system's response. The initial spike in "receive bytes" occurs without any prompt and is immediately followed by the infected machine's reaction.
By analyzing these patterns, Vectra's data scientists have discovered an effective way to recognize this behavior. The time-series data that represents the command-and-control channel behavior shares similarities with the data used in speech recognition and natural language processing. This similarity has led the team to adopt a deep learning model for identification.
Vectra utilizes a powerful type of neural network known as an LSTM (long short-term memory) to detect attack behavior. This specialized architecture is adept at analyzing events across multiple timeframes, allowing for a comprehensive understanding of command and control conversation data. The LSTM is trained on a diverse range of real and algorithmically generated samples, capturing various scenarios, tools, configurations, and environments. As a result, the model is able to identify the overarching patterns indicative of a control channel, regardless of the specific tools employed.
The algorithmic approach used in this analysis was made possible because of how Vectra formats network session data. While Vectra can provide Zeek-like metadata, its custom parser goes beyond standard Zeek capabilities by offering sub-second interval parsing of network communications. This level of detail allows for clear visibility into both benign and malicious communications, enabling Vectra's data science teams to utilize the most effective algorithms for a wide range of problems.
The combination of unique metadata and sophisticated algorithms allows Vectra to effectively identify attackers. By focusing on the communication data itself, rather than just surface-level signals, this approach remains resilient against changes in attacker tools and even encrypted traffic. Additionally, the clear behavior signal eliminates the need for suppression filters that may inadvertently filter out important information or stealthy attacker actions.