Skip to main content

General Documents

Detect and Respond to Command and Control Attacks

Abstract

Download PDF

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence, Forensic and Malware Analysis, Endpoint

Cyware Products Used:

  • Respond

  • Orchestrate

  • Collaborate

Third-Party Integrations Used:

  • Splunk SIEM: SIEM solution to identify hits to the IOCs and watchlist malicious IOCs.

  • Crowdstrike Falcon Endpoint Detection and Response: Endpoint Detection and Response solution to block malicious IOCs.

Problem Statement

Cybercriminals attempt to remain persistent for an extended period of time within the targeted environment to communicate with infected or compromised devices inside the network. They aim to exfiltrate sensitive data. To achieve this, cybercriminals use an infamous Command and Control (C&C) method.

C&C attacks occur when an attacker infiltrates a system using social engineering methods and installs a malware. The malware allows the attacker to remotely send commands from a C&C server (owned by the attacker) to the infected devices. The first infected device often infects other vulnerable devices to bring the entire system under the attacker’s control.

Hence, it is important to detect and defend against C&C attacks at the earliest possible stage and introduce its detection and response strategy as part of the organization’s security practices.

Solution

C&C attacks can be challenging to detect, as outbound communication is often less monitored or restricted and attackers take steps to avoid being noticed. Cyware offers an end-to-end playbook in Orchestrate to detect C&C attacks early and respond to them effectively by stopping the attack from spreading through your organization’s network.

Detect_and_Respond_to_Command_and_Control_Attacks.svg

How do we solve this problem?

  1. Detect C&C communication: The playbook starts by detecting suspicious C&C communication in the organization’s network. SIEM rules allow the playbook to retrieve the details about suspicious communications and send them for further analysis. The SIEM alert contains important information such as the IP address, Hostname, Hashes, and Alert ID.

  2. Filter Alert Details: The playbook now retrieves important details such as IP address, Hostname, Asset details, and Alert ID.

  3. Create Incident: The playbook creates an incident in Respond and attaches all the important details to the incident.

  4. Enrichment: The hashes and asset details onboarded from the alert are sent for the enrichment and the results are updated back to the CFTR incident.

    1. Hash Enrichment: The hashes identified in the C&C alert are sent to WinRM and Intel Exchange for hash enrichment. You can also use any preferred tool for hash enrichment.

    2. Asset Enrichment: The impacted asset details are sent to Crowdstrike EDR for enrichment. This provided important details such as asset details, the latest user activity, hostname, operating system, IP address, MAC address, and more. You can also use a preferred tool for EDR.

  5. Malicious or Non-Malicious: Based on the risk score retrieved from the enrichment of hashes, the playbook analyzes if it is malicious or not.

    1. Malicious: If the hash is identified as malicious, then the playbook automatically performs the following actions.

      1. Quarantines the files associated with the impacted asset.

      2. Quarantines the impacted asset.

      3. Block malicious IOCs on Crowdstrike EDR.

    2. Non-Malicious: If the hash is identified as non-malicious, then the playbook updates the comments to the Learnings and Closure section of the Respond incidents. Analysts can manually review the details and close the incident.

  6. Identify Hits to IOC: The playbook now checks the SIEM logs to find out if any user has already clicked or accessed the malicious IOC. After gathering SIEM logs, the playbook will automatically remediate the threats on the affected endpoints after updating the playbook details.

Benefits

Stop Data Theft Attempts

Attackers use the C&C method to exfiltrate sensitive data such as company or client information, financial documents, proprietary property, and other data that can be leveraged or sold. Hence, security teams should be proactive in blocking and mitigating C&C attacks.

Going Beyond Incident Investigation

The playbook not just helps the organization respond to specific phishing threats but also helps capture the learnings from the incidents to put in place long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.

Actionable Threat Intelligence

With the automated enrichment and scoring of indicators based on contextual factors, the playbook provides actionable intel to security analysts for further action.