Command and control (C&C) in the world of cyber attacks involves malware calling out to a central server under the attacker’s control to signal its presence. The server can remotely control this malware to initiate an attack, maintaining a communication link and sending execution instructions to compromised devices when desired.
The cyber kill chain (developed by Lockheed Martin) models the process that attackers go through to achieve their ultimate goal of data exfiltration or system compromise.
It comprises seven stages: reconnaissance; weaponisation; delivery; exploitation; installation; command and control; and actions on objectives. Malware is sent and installed on devices through stages 3, 4 and 5, while stage 6 sees attackers taking control of the malware and issuing instructions.
Some of today’s more sophisticated cyber attacks successfully compress the early stages (1 to 5), making stage 6 command and control easier to get to. Furthermore, attacks frequently involve multiple command-and-control servers, making it increasingly difficult for security analysts and automated systems to detect and respond to this stage of the chain.
Given that an attacker is so close to achieving their desired objective delivering stage 7 of the cyber kill chain it is imperative that they are stopped from accomplishing command and control in stage 6, the penultimate stage. Remembering that security is not a product, but an approach combining technology, process and people, addressing command and control should be considered in these buckets.
There is no single technology product to prevent an attacker getting through stage 6 of the cyber kill chain. Combinations of products are needed, and it is the combined picture that will help a security analyst spot that C&C is being attempted.
Examples of technology products include network monitoring and traffic analysis, network intrusion detection system (NIDS), threat intelligence platforms, honeypots , network intrusion prevention system (NIPS), and user and entity behaviour analytics (UEBA).
Process security controls can include ensuring that users, systems and devices only have access to what is required commonly referred to as “ least privilege ”. This can help limit what an attacker can do when they have obtained a user’s credentials during the cyber kill chain.
You should also look out for escalation of privileges. Consider investigating azero-trust approach, where a user is required to authenticate and be authorised for each application being used, rather than having blanket access from network log-in.
Furthermore, perform regular scanning of networks and systems this is a three-way security control (people and technology, as well as process) to pick up anomalies, such as sleeping malware.
Security analysts add a crucial layer of people to the technology and process security controls. For example, they will review alerts from automated systems, designed to pick up unusual or suspicious activity that might indicate malware calling out to a central server.
We are seeing increased levels of automation in security products and processes this is positive news, freeing up hard-pressed security analysts to investigate the highest priority alerts, including those that have progressed significantly through the cyber kill chain.
Focusing on stage 6 of the cyber kill chain recognises that sometimes stages 1 to 5 cannot or will not be addressed. This indicates that some organisations have moved beyond a tick-box methodology and are instead moving towards an approach to addressing overall cyber security and digital risk.
