Graeme Dawes - Fotolia

Command and control communications key to detecting threats

Malware command and control (C&C) communications are key to detecting advanced threats, according to a security researcher

Traditional signature-based technologies are failing to detect advanced and previously unknown malware threats, according to Moshe Zioni, security research manager at Verint.

“Even technologies using anomaly detection and behaviour analytics are failing when it comes to unknown threats,” he told Computer Weekly.

There needs to be an additional approach, he said, that is robust and can correlate many more pieces of data to identify similarities and indicators of malicious activity than human analysts can.

Key to this approach is to focus on command and control (C&C) communications and to use machine learning technology to improve detection rates and efficiency, said Zioni.

He said C&C communications is a useful area of focus because it is the cornerstone of most forms of malware, which means it is almost always present.

And even though C&C is not essential to the main function of ransomware, which typically encrypts data and demands payment for the decryption key, there is often some C&C activity in the initiation phase.

“So at least some C&C communication is inevitable when it comes to malware, and it is the one element of any malware that is least likely to change from one version or variant to another.”

While other elements of malware can change radically from one version to the next, Zioni said the C&C communications element often remains unchanged or changes very little.

“The fact that C&C communications is such a common element and changes little from version to version makes it a good place to start in terms of a detection strategy,” he said.

However, Zioni said defenders should ideally look at network communications in conjunction with endpoint data, because just looking at one or the other risks missing some indicators of compromise.

The best strategy, according to Zioni, is to monitor the whole IT environment, and then use machine learning technology to identify C&C communications patterns in the data.

“Unlike a human analyst, machine learning technology can extrapolate from tens of thousands, perhaps millions, of samples to predict the small changes in C&C communications that take place from one version to the next,” he said.

Read more about machine learning

Machine learning technology is also able to analyse network communications in real time, which is not possible for human analysts when the data is moving at speeds of 1Gbps or more.

“A robust machine can learn to be more flexible in its results and extrapolate more generously to present a wider range for the human analysts to consider,” said Zioni.

Machine learning technology in this context, he said, is not a replacement for human analysts, but a way of making them more effective by filtering out most of the false positives and other irrelevant data.

“As a result, the human analysts have an acceptable amount of data to deal with to enable them to make a final determination on what is an indicator of malicious behaviour and what is not, which can then be fed back into the machine learning technology to refine its capabilities as part of a supervised learning approach,” he said.


Moshe Zioni will explore this topic in greater depth in a presentation entitled On the hunt for advanced attacks? at Infosecurity Europe 2017 in London, which takes place from 6-8 June. 

Read more on Hackers and cybercrime prevention