Identifying C2 Traffic

While the initial layers of security are crucial, the detection of C2 traffic can be a game-changer in thwarting cyber threats. C2 traffic is the communication channel between a compromised host (the victim) and the attacker’s command and control infrastructure. It’s important to understand the characteristics of C2 traffic to spot it effectively:

  1. Persistence and Beaconing: C2 traffic often exhibits persistence, meaning it maintains communication over extended periods. Beaconing, a regular pattern of communication, is a common trait of C2 traffic, making it easier to detect.

  2. HTTPS Exploitation: Cybercriminals prefer using encrypted protocols like HTTPS for C2 communication, as it helps them blend in with legitimate traffic, making detection more challenging.

  3. Outbound Nature: C2 traffic typically travels from the compromised host to external command and control servers, leading to outbound network traffic. Analyzing proxy logs can be valuable for spotting such activity.

  4. Data Sources: Firewall and Proxy logs, along with data from packet captures, provide valuable insights into persistent external connections, helping security teams identify potential C2 traffic.

  5. Creating Detection Scripts: Crafting scripts that monitor internal IPs connecting to the internet at intervals of at least once per X minutes will discover things like VPN tunnels, reverse HTTP tunnels and other authorized and unauthorized traffic. The authorized traffic can be anything related to legitimate VPN tunnels, then we have the unauthorized policy violations that can leverage the use of SSSH tunnels to escape content filtering, tools like TeamViewer, etc. Lastly, we have got the “Other Unauthorized”, and it is in this categroy that includes malware traffic that has escaped initial prevention.

Common Protocols Abused for C2

Cybercriminals are crafty in exploiting well-known protocols for their malicious purposes. Some common protocols used for C2 communications include:

  • IRC (Internet Relay Chat): Known for its use in communication between multiple users, IRC can be manipulated for C2 traffic due to its decentralized nature.

  • DNS (Domain Name System): C2 traffic over DNS involves using DNS requests and responses to exchange commands and data, often evading detection.

  • ICMP (Internet Control Message Protocol): Cybercriminals can utilize ICMP for C2 communications and data exfiltration. Varying packet sizes on the same connections can raise suspicions.

  • HTTP and HTTPS: Both HTTP and its encrypted counterpart, HTTPS, are frequently abused for C2 purposes. Malicious actors employ various techniques like content encoding, obfuscation, or encryption (using Base64 and XOR) to avoid detection.

C2 through HTTPS

HTTPS, the secure version of HTTP, is a preferred choice for C2 channels due to several advantages from an attacker’s perspective:

  • Blending In: HTTPS is commonly allowed for outbound traffic, making it less conspicuous and likely to be overlooked by network administrators.

  • Delayed TLS Handshake: Unlike typical HTTPS connections that initiate a TLS handshake early on, malicious HTTPS connections often delay the handshake until after the data transfer, which can raise red flags during analysis.

TLS Certificates and Handshakes

Although encryption is becoming increasingly prevalent in malware to evade signature-based detection, there are still signs that can tip off security professionals:

  • Certificate Information: Legitimate certificates contain detailed information like the issuer, validity dates, organization details, and more. Malicious certificates often lack such vital information, making them easier to identify.

  • High Entropy in Common Name (CN): Cybercriminals may employ random and high-entropy CN values in their certificates, indicating potential malicious activity.

TLS Fingerprinting: JA3 and JA3S

TLS fingerprinting is an effective method for detecting and tracking malicious communications:

  • JA3 (Client Fingerprinting): JA3 generates fingerprints of client applications based on specific fields in the TLS Client Hello packet. This helps identify malware attempting to establish connections.

  • JA3S (Server Fingerprinting): JA3S fingerprints server responses, allowing for the identification of suspicious servers.

Challenges with Evolving Protocols

As technology progresses, new standards like TLS 1.3, DNS over HTTPS/DNS over TLS, and HTTP/2 & HTTP/3 bring new challenges to protocol analysis:

  • Mandatory Encryption: With encryption becoming the norm, reading certificate details is becoming harder, making it more difficult to identify potential threats.

  • Rogue DNS Server Usage: Preventing the use of rogue DNS servers is becoming increasingly complicated.

In conclusion, detecting suspicious HTTPS and TLS connections, especially those related to C2 traffic, is crucial in safeguarding networks and systems from cyber threats. By understanding common protocols used for C2 communications, analyzing TLS certificates and fingerprints, and leveraging tools like JA3 and JA3S, security teams can effectively bolster their defense mechanisms. Keeping up with evolving protocols and encryption standards is essential to stay ahead of cybercriminals and protect against emerging threats.