Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Command & Control

Peer-To-Peer

Peer-To-Peer
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The "Peer-To-Peer" (P2P) detection focuses on identifying unauthorized use of peer-to-peer communication channels within an organization's network. P2P communication is often used by attackers to establish resilient command and control (C&C) infrastructures, enabling them to control compromised systems, exfiltrate data, or coordinate further attacks without relying on a single point of failure.

Triggers

  • An internal host is communicating with a set of external IP addresses with a pattern and low data rate common to peer-to-peer command and control

Possible Root Causes

  • The internal host is infected with malware which is using peer-to-peer communication for its command and control; some botnets utilize this form of command and control as it is more resilient to attempts at disrupting or sink holing it
  • Legitimate peer-to-peer software is running idle in the background without any data (e.g. Bittorrent) or voice (e.g. Skype) transfer activity and as such exhibits patterns similar to command and control traffic

Business Impact

  • An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
  • The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
  • Software which infected the host can create nuisances and affect user productivity

Steps to Verify

  • If the detection is generated as a result of a purposely installed peer-to-peer application, make sure the software complies with IT security policy
  • If the detection cannot be attributed to such an application, the host is likely infected with a malware and should be fixed through the use of AV software or reimaged
Peer-To-Peer

Possible root causes

Malicious Detection

  • An attacker has compromised a system and is using P2P communication to control it.
  • Malware designed to use P2P networks for C&C communication is present.
  • Insider threat where an employee is using unauthorized P2P software for malicious purposes.

Benign Detection

  • Legitimate use of P2P software for business purposes, such as file sharing or collaboration tools.
  • Misconfigured applications or systems that generate P2P-like traffic.
  • Security assessments or penetration tests involving P2P communication.
Peer-To-Peer

Example scenarios

Scenario 1:An attacker compromises several systems within an organization's network and establishes a P2P communication channel to control these systems. The detection is triggered by the unusual network traffic patterns and connections to known P2P nodes.

Scenario 2:During a penetration test, the security team uses P2P communication to simulate an advanced persistent threat (APT) scenario. The detection is triggered, and the activity is verified as part of the scheduled assessment.

Peer-To-Peer

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Persistent Threat

P2P communication provides attackers with a resilient C&C infrastructure, making it difficult to disrupt their operations.

Data Exfiltration

P2P networks can be used to exfiltrate sensitive data covertly.

Operational Disruption

Unauthorized P2P traffic can consume network resources and degrade performance.

Peer-To-Peer

Steps to investigate

Review Network Traffic Logs

  • Check logs for patterns of P2P communication, including IP addresses, ports, and data transfer volumes.
  • Identify any connections to known P2P nodes or suspicious IP addresses.

Correlate with User Activity

  • Verify if the P2P traffic is associated with legitimate business activities or administrative tasks.
  • Check for recent changes in user behavior, access patterns, or account privileges.

Examine Installed Software

  • Look for the presence of P2P software or related processes on the systems generating the traffic.
  • Review any unauthorized or unusual software installations.

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity associated with the same user or IP addresses.
  • Verify if the detected activity is part of a scheduled security assessment or penetration test.
Peer-To-Peer

MITRE ATT&CK techniques covered

Proxy

T1090

Application Layer Protocol

T1071

Ingress Tool Transfer

T1105
Peer-To-Peer

Related detections

File Share Enumeration

Ransomware File Activity

AWS Suspect Traffic Mirror Creation

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is peer-to-peer (P2P) communication in the context of cybersecurity?

P2P communication involves direct data exchange between systems, often used by attackers to establish resilient command and control (C&C) infrastructures for controlling compromised systems and exfiltrating data.

What are the common signs of P2P communication?

Signs include unusual network traffic patterns, connections to suspicious IP addresses, high volumes of small packets, and use of ports commonly associated with P2P protocols.

Can legitimate activities trigger the detection of P2P communication?

Yes, legitimate use of P2P software for business purposes, misconfigured applications, or security assessments can trigger this detection. It’s important to verify the context of the activity.

How does Vectra AI detect P2P communication?

Vectra AI uses advanced AI algorithms to analyze network traffic and identify patterns indicative of P2P communication, correlating these with other suspicious behaviors.

What is the business impact of unauthorized P2P communication?

The primary risks are persistent threats, data exfiltration, operational disruptions, and compliance violations, which can lead to significant harm to the organization.

How can I detect unauthorized P2P communication in my environment?

Monitor network traffic for patterns indicative of P2P communication, such as high volumes of small packets, connections to known P2P nodes, and traffic on ports commonly associated with P2P protocols.

Why is P2P communication a significant threat?

P2P communication provides attackers with a resilient C&C infrastructure, making it difficult to disrupt their operations. It can also be used for covert data exfiltration and to consume network resources.

What steps should I take if I detect unauthorized P2P communication?

Investigate the source of the P2P traffic, verify if it was authorized, check for other signs of malicious activity, and take steps to remove unauthorized software and secure affected systems.

What tools can help verify the presence of P2P communication?

Tools like network traffic analyzers, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify and verify P2P communication.

How can I prevent unauthorized P2P communication?

Implement strong access controls, monitor network traffic, set up alerts for unusual activity, and regularly audit installed software and user activity.