Maksim Kabakou - Fotolia
Security Think Tank: Three steps to detect malware comms
As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure that they detect such methods and that all C&C systems are removed, including “sleepers” designed to be activated at a future date?
Attackers using multiple command and control (C&C) systems to communicate with backdoors and other malware can be a complicated issue and is one of the tougher scenarios a security professional can run up against.
We are accustomed to clicking on something, triggering a response, and activating the precautionary measures we have in place. However, these attacks can be particularly nefarious, especially when coupled with zero-day threats. In this scenario, we don’t have sight of what attackers are after, what they do or whether the payload will deliver.
With this in mind, here are three ways to help prepare for, and protect against, this method of attack:
Tune your networks to maintain close visibility of outbound traffic
By the time you have discovered outbound traffic, attackers are often already in your network, which means the attack is starting to exfiltrate.
Good firewall hygiene is key here – make sure you document all the ports that need to be opened, and run a risk matrix to ensure you have the right ones open, that everything else is shut down, and that you are looking for these types of unauthorised outbound communications that are attempting to transmit data.
Your insider threat application can act as another layer to monitor for this exfiltration. Look for outbound signatures or other suspicious programs moving outside your network, so that you can act quickly.
Deploy a security system that looks out for abnormal behaviour
Have an “intelligent” security system in place that learns and that can work offline. A system that spots any abnormalities and isolates and blocks them – even if it doesn’t know what they are – is your best bet, particularly when it comes to something in the sleep cycle or a potential zero-day vulnerability.
If you have a system in place that can hold an abnormality at bay and set off an alert, this is the best chance to catch something before it impacts your network.
Also, aim to consolidate your monitoring systems so that your endpoints are reporting to a common area, and so you can see a path, trace it and isolate it, and at that point try to prevent it from ever happening again.
Don’t disregard general security hygiene
As well as making sure there are working system backups, ensure that endpoint backups are also prioritised. That way, if you find only one person is affected by malware, you can take them off the network and roll them back to a state 15 minutes before.
Make sure you have a good, solid network in place, good firewalls and endpoint protections, that you are whitelisting and blacklisting, and have appropriate access controls in place.
Having east-west protection in place is also worth prioritising, so if something does get in, it minimises the amount of corruption and the amount of damage you will see. This should also be coupled with a robust response plan.
Teams that have prepared and are briefing executives on the risks are the ones that generally tend to be least impacted by these attacks.