Command & Control: Understanding, Denying and Detecting

Joseph Gardiner, Marco Cova, Shishir Nagaraja

Research output: Book/ReportCommissioned report

Abstract

One of the leading problems in cyber security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools, sometimes referred to as Advanced Persistent Threats (APTs). These attacks target specific organisations or individuals and aim at establishing a continuous and undetected presence in the targeted infrastructure. The goal of these attacks is often espionage: stealing valuable intellectual property and confidential documents.

As trends and anecdotal evidence show, providing effective defences against targeted attacks is a challenging task. In this report, we restrict our attention to a specific part of this problem: specifically, we look at the Command and Control (C2) channel establishment, which, as we will see, is an essential step of current attacks. Our goals are to understand C2 establishment techniques, and to review approaches for the detection and disruption of C2 channels.

More precisely, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. This knowledge is foundational to understand C2 techniques and to design effective countermeasures.

We then investigate the “mechanics” of C2 establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use.

Finally, we switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.
LanguageEnglish
Place of PublicationBirmingham
Commissioning bodyCentre for the Protection of National Infrastructure
Number of pages38
Publication statusPublished - 28 Feb 2014

Fingerprint

Intellectual property
Mechanics
Switches

Keywords

  • cyber security
  • advanced persistent threats
  • APTs

Cite this

Gardiner, Joseph ; Cova, Marco ; Nagaraja, Shishir. / Command & Control : Understanding, Denying and Detecting. Birmingham, 2014. 38 p.
@book{68c363dcb42a4eba95c0e88bde3efe20,
title = "Command & Control: Understanding, Denying and Detecting",
abstract = "One of the leading problems in cyber security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools, sometimes referred to as Advanced Persistent Threats (APTs). These attacks target specific organisations or individuals and aim at establishing a continuous and undetected presence in the targeted infrastructure. The goal of these attacks is often espionage: stealing valuable intellectual property and confidential documents.As trends and anecdotal evidence show, providing effective defences against targeted attacks is a challenging task. In this report, we restrict our attention to a specific part of this problem: specifically, we look at the Command and Control (C2) channel establishment, which, as we will see, is an essential step of current attacks. Our goals are to understand C2 establishment techniques, and to review approaches for the detection and disruption of C2 channels.More precisely, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. This knowledge is foundational to understand C2 techniques and to design effective countermeasures.We then investigate the “mechanics” of C2 establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use.Finally, we switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.",
keywords = "cyber security, advanced persistent threats, APTs",
author = "Joseph Gardiner and Marco Cova and Shishir Nagaraja",
note = "Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in report",
year = "2014",
month = "2",
day = "28",
language = "English",

}

Command & Control : Understanding, Denying and Detecting. / Gardiner, Joseph; Cova, Marco; Nagaraja, Shishir.

Birmingham, 2014. 38 p.

Research output: Book/ReportCommissioned report

TY - BOOK

T1 - Command & Control

T2 - Understanding, Denying and Detecting

AU - Gardiner, Joseph

AU - Cova, Marco

AU - Nagaraja, Shishir

N1 - Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in report

PY - 2014/2/28

Y1 - 2014/2/28

N2 - One of the leading problems in cyber security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools, sometimes referred to as Advanced Persistent Threats (APTs). These attacks target specific organisations or individuals and aim at establishing a continuous and undetected presence in the targeted infrastructure. The goal of these attacks is often espionage: stealing valuable intellectual property and confidential documents.As trends and anecdotal evidence show, providing effective defences against targeted attacks is a challenging task. In this report, we restrict our attention to a specific part of this problem: specifically, we look at the Command and Control (C2) channel establishment, which, as we will see, is an essential step of current attacks. Our goals are to understand C2 establishment techniques, and to review approaches for the detection and disruption of C2 channels.More precisely, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. This knowledge is foundational to understand C2 techniques and to design effective countermeasures.We then investigate the “mechanics” of C2 establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use.Finally, we switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.

AB - One of the leading problems in cyber security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools, sometimes referred to as Advanced Persistent Threats (APTs). These attacks target specific organisations or individuals and aim at establishing a continuous and undetected presence in the targeted infrastructure. The goal of these attacks is often espionage: stealing valuable intellectual property and confidential documents.As trends and anecdotal evidence show, providing effective defences against targeted attacks is a challenging task. In this report, we restrict our attention to a specific part of this problem: specifically, we look at the Command and Control (C2) channel establishment, which, as we will see, is an essential step of current attacks. Our goals are to understand C2 establishment techniques, and to review approaches for the detection and disruption of C2 channels.More precisely, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. This knowledge is foundational to understand C2 techniques and to design effective countermeasures.We then investigate the “mechanics” of C2 establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use.Finally, we switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.

KW - cyber security

KW - advanced persistent threats

KW - APTs

M3 - Commissioned report

BT - Command & Control

CY - Birmingham

ER -

Gardiner J, Cova M, Nagaraja S. Command & Control: Understanding, Denying and Detecting. Birmingham, 2014. 38 p.