Sqrrl's Security Technologist Josh Liburdi provides an overview of how to detect C2 through a combination of automated detection and hunting.
Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-for-command-and-control-activity
Security Technologist at Sqrrl, act as a subject matter expert on the topic of threat detection and help guide the direction of our product, the Sqrrl Threat Hunting Platform.
Before working at Sqrrl I worked at General Electric on their incident response team as a detection analyst and at CrowdStrike on the Professional Services team where I specialized in threat hunting, network security monitoring, and incident response.
I've been in the incident response space, focused on threat detection, for the past three years.
In today’s webinar we’re going to discuss topics related to detecting command and control activity. What you'll learn is why we need to detect C2 activity and how Sqrrl makes it easy for you to do that.
Where we’ll begin is by talking about why we need to detect C2.
Understanding why we need to detect C&C starts with understanding the attack life cycle and knowing how attackers operate. Using a threat model like Lockheed Martin’s Cyber Kill Chain is an important first step to understanding where to focus your detection efforts– you can use this model and others like it as a basis for thinking about the question ‘What is most impactful to the organization?’ This question can be considered multiple ways, including by type of threat (for example, are threats to the organization ones of opportunity or is the organization actively targeted by attackers?) and by outcome (for example, is financial loss more impactful than sensitive data loss?).
Once you understand what is most impactful to the organization, you can evaluate how that impact can manifest by mapping attacker actions to a model like the Kill Chain. For example, in the case of targeted attackers, they typically begin at the first stage of the kill chain (Reconnaissance) and carry out each subsequent stage until they achieve their final goal (ending with Actions on Objectives). As they carry out their mission, their actions become more and more impactful to the target organization– this means that as a defender, it's a good practice to plan detection efforts from the end of the kill chain to the beginning; this ensures you have coverage for the most impactful attacker activity.
In the context of this webinar, it’s important to note that command and control is near the end of the kill chain, which means it is a high-impact stage of attacker activity.
This leads into the larger point of why we need to detect command and control.
The primary reason is that it's a required step of the kill chain for remote attacks, of which the majority of cyber attacks are. In most situations, the attacker must remotely infiltrate your network and exfiltrate data out of your network.
Speaking broadly, C&C has a fairly predictable architecture, but attackers have multiple options of implementing and executing it. The architecture is based on either a client-server model, where there is an established compromised client and C&C server, or a peer-to-peer model, where each node in the compromised group can act as client and server.
Though the architecture is limited, there's plenty of room for attackers to be creative in how they build their C2 channel. Leading techniques include using encryption to hide C2 channels, such as HTTPS or custom protocols (for example, utilizing XOR encryption); using domain generation algorithms to evade detection and establish connection with a C&C server (this is utilized by multiple families of malware, including-- most prominently-- ransomware); and using tunneling to hide C2 channels in common protocols, like DNS (this is utilized by some families of malware-- including Point of Sale malware that target the retail industry-- as well as specialized remote access tools).
Consider that these techniques are just a few examples-- you can see that attackers have a breadth of options for creating their C2 channel, so defenders need a breadth of options as well for detecting C2 channels.
Next, we’ll take a brief look at the Hunting Maturity Model.
If you haven't seen it before, the Hunting Maturity Model is a way to evaluate your organization’s hunting capabilities and it can also act as a simple guide to understand how you can mature your hunting program. In the case of detecting C2, you can think of the maturity model as a way to track how capable you are at hunting for command and control activity– for example, if you are capable of doing indicator searches, then a good next step to mature your hunting program and the detection of command and control is to implement C2-related data analysis procedures created by others.
At Sqrrl, most customers we talk to find themselves in the first half of the model– their capabilities range from relying primarily on automated alerts (HM0) to following data analysis procedures created by others (HM2).
So with that in mind, for the remainder of the webinar, I’ll be discussing identifying command and control activity at the lower levels of the maturity model.
Finally, it’s important to talk about types of data you can use to find C2 activity.
We think of data in four domains: Network, Endpoint, Application, and Enrichment. Most data in these domains comes from internal data sources.
Network domain: session (flow) metadata, application protocol metadata
Endpoint domain: process execution metadata, host authentication metadata
Application domain: contains sources that have data unique to particular service or tool (for example, Anti-Virus software)
Enrichment domain: is typically used to add contextual information across the other three domains; includes indicators of compromise, geolocation information for servers, passive DNS data for domain history
Something to consider is that one data source can contribute to multiple data domains. For example, Sysmon is a free tool from Microsoft that primarily records endpoint data (process executions and file modifications), but it can also capture network data because it can identify when a process makes a network connection, so it does exist somewhat in both domains.
Having accessible data from multiple domains is important because it supports a larger number of use cases-- especially complex ones that may combine data from different domains. For ease of use, it’s crucial that this data is joined together and accessible from a single place or tool.
For detecting C2 activity, the most commonly accessible data is in the network domain (for example, session data, like flow records or firewall logs), but with the right level of data collection, data in the endpoint domain can be effective at finding C2 as well (especially process execution data). Enrichment data can also play a big part in detecting C2 activity, especially indicators for commonly observed malware families.
Now we're ready to discuss how we can uncover C2 activity with Sqrrl.
Where we'll start is with a review and demo of some Sqrrl C2 detection analytics, move to a C2 indicator search, and finish with a commonly available data analysis procedure for identifying C&C.
To start, we'll look at our C2 detection analytics.
Sqrrl has multiple analytics that can automatically discover and detect threats for you, including command and control activity. The first is a Beacon analytic, which we’ll interactively look at in a moment. The next two are detection analytics that identify patterns related to techniques I described earlier in the webinar-- domain generation algorithms, used to establish connectivity with a C2 server, and DNS tunneling, used for hiding a C2 channel in DNS traffic.
In these screenshots you can see an example of a DGA detection in the background and the entities involved in the detection displayed on the Sqrrl Explore graph, ready to be explored, in the foreground.
Now I'm going to exit out of the PowerPoint and we'll begin demos, starting with looking at a Beacon detection.
Let's summarize what we've seen today.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.
As shown throughout the webinar, there are multiple benefits to using Sqrrl for detecting threats like command and control.
First, Sqrrl isolates attacker tactics, techniques, and procedures with detection analytics, including analytics that can identify beaconing, domain generation algorithms, and tunneling activities related to C2. This gives your organization additional coverage to detect attacker activity and frees up time for your team to hunt for new threats.
Second, Sqrrl makes it easy to quickly determine the context of an attack or threat– I showed this earlier during the indicator search demo, where I was able to quickly establish how the compromised website led to the Sundown Exploit Kit, which led to a successful infection. Our linked data model combines a variety of data from multiple data domains, including Proxy logs and Netflow from the network domain and Windows Event logs from the endpoint domain– this gives you many opportunities for establishing the context of how attacks are carried out in your network.
Third, Sqrrl gives you multiple ways to find emerging threats in your network– in today’s demo, you saw examples of using indicators to find the exploit kit activity and using the stacking technique to identify C2 in network session data. It’s important that your threat hunting platform gives you multiple options and the best tools to carry out your hunts, tools like graph exploration, effective indicator searching, and a power search language.