Most malware these days has some level of Command and Control. This can be to exfiltrate data, tell the malware what instructions to execute next, or download encryption keys in the case of ransomware.

In each case of command and control, the attacker is accessing the network from a remote location. Having insight into what is happening on the network is going to be crucial in addressing these techniques.

Using a Firewall

In many cases, having a properly configured firewall to limit what data can leave endpoints, as well as the network, will help. While some malware families will try and hide traffic on unusually high network ports, others will also use ports like 80 and 443 to try and blend into the noise of the network.

In this case, you’ll want to use a perimeter firewall that brings in threat intelligence data to identify malicious URLs and IP addresses. This won’t stop all attacks but it can help filter out some commodity malware.

If the perimeter firewall cannot consume threat intelligence, then the firewall and/or perimeter logs should be sent to a centralized logging server that can consume that level of data for further analysis. Tools like Splunk or the ELK stack are a great resource for identifying malicious command and control traffic.

Running network traffic through Bro IDS is another option in trying to find anomalous network behavior, again sending the logs into Splunk or ELK for further analysis.

Network Segmentation

Proper network segmentation is also going to help in this case. I like to provide the example of credit card scraping malware and how network segmentation can help.

Point-of-sale (POS) machines have predictable configurations and will only talk to predictable locations on the local network, as well as the Internet, if necessary. Should a piece of (Read more...)