Cyber Security Threat Actors Use Multiple Command and Control (C2) Servers to Distribute and Communicate With Their Malware

Cyber threat actors often use a variety of C2 servers to evade detection and improve resiliency of their attack campaigns. Single point of failure attacks, e.g., WannaCry’s kill switch, run the risk of having this point identified and disabled, bringing an attack campaign to an abrupt end. Use of a single set of C2 nodes also runs the risk of an accidental denial of service (DOS) of these servers by a highly successful attack campaign. For these reasons, threat actors will deploy multiple C2 servers to distribute and communicate with their malware.

Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender for many reasons. If all communication channels used by malware are identified and blocked, the threat posed by the malware is essentially eliminated. Identification and correlation of C2 servers used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate deployment of appropriate defensive countermeasures.

FDR Threat Actor Infrastructure Detection and Tracking

InQuest has developed and integrated an array of in-house and third-party tools for the detection and prevention of threat actor infrastructure. These tools help identify and correlate threat actor infrastructure elements used across attack campaigns. Further buttressed by InQuest Labs research, FDR is able to identify and mitigate malware campaigns by identifying threat actor infrastructure that is activated specifically for client targeting.

How FDR Stops Threat Actors in Cyber Security

A host of integrated capabilities automate the discovery / detection effort required to find multiple C2 servers in action:

Real-Time Network Traffic Monitoring

InQuest provides real-time monitoring of network traffic passing through the protected network perimeter through the use of a Collector passively collecting traffic via a TAP or SPAN. Sessions are reconstructed and analyzed using several proprietary InQuest native capture tools.

Automated Signature Scanning

InQuest provides their clients with the capability to import InQuest Labs provided signatures either manually or automatically. Users are also able to define and upload their own signatures and enable or disable them via Policy definition to meet their needs. The InQuest Threat Discovery Engine (TDE) uses these signatures to identify malware entering the network, providing a starting point for mapping a threat actor’s attack infrastructure.

DNS monitoring for known bad domains

Included in InQuest’s feed packs is a list of currently known malicious domains scraped from a variety of internal, private, and public sources. Each domain resolution attempt made from within a protected network is checked against this list and an alert is raised in the event of a match. Identification of an infected machine allows analysts to identify the malware and infection vector of the machine as well as analyze this data for further clues about the threat actor’s operations (IP addresses, domains, etc.).

InQuest Artifact Extractor

InQuest Collectors include a built-in network traffic artifact extraction engine which extracts metadata from network sessions passing through the network perimeter. This metadata includes IP addresses, URLs, domains, files, and file hashes and can be invaluable in identifying and attributing various malicious content and different aspects of the same attack campaign.

Recursive File Dissection

InQuest has developed a recursive file dissection engine designed to unwrap the layers of obfuscation employed by hackers to mask and protect their malicious code. Hackers do not wish for their malicious content to be commonly known (since they would be promptly added to blacklists), so they often hide this information within files and/or objects in a variety of ways, forcing analysts to spend valuable time verifying that they have identified all of the infrastructure that the malware may contact. InQuest’s file dissection engine automatically unravels the protections placed around this information, accelerating the pace at which the threat actor’s infrastructure is identified and mitigated.

Sandboxes and Automated Malware Analysis Engines

InQuest provides seamless integration of multiple third-party sandboxes and automated malware analysis engines, including Cuckoo Sandbox, Joe Sandbox, CrowdStrike Sandbox, and Trellix. These tools are valuable for extracting hidden information from malware. They allow the malware to execute in a protected environment and identify files, domains and IPs that the malware attempts to contact. This intelligence can be correlated with information gained from other sources to provide greater visibility into a threat actor’s infrastructure.

InQuest Automatic Updates

InQuest collects threat intelligence from a variety of sources. Internally, experience from dealing with real-world attacks on a daily basis provides knowledge regarding current attack trends. Private information is shared through a network of partnerships with Exodus Intelligence and other research organizations. Public information is collected and aggregated through crawlers that search public intelligence repositories. This information is available to InQuest clients via InQuest Automatic Updates. These code, signature, and intelligence updates from the InQuest cloud are available for manual download as well.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based forum for collaboration between InQuest clients across the globe. This cloud-based threat score repository stores information regarding suspicious IP addresses, domains, files, and hashes and enables defenders to collaborate to quickly build a map of the infrastructure supporting a given attack.

InQuest User Interface

InQuest is designed to simplify the network defender’s experience. The InQuest User Interface (UI) provides a high degree of control to the user and powerful search and data correlation capabilities. Behind the scenes, every network session passing the network boundary is analyzed and labeled with a threat score. Once an indicator of an attack campaign is identified (a file, URL, domain name, etc.), the UI can be used to identify related information and trigger and access the results of integrated tools. Signatures based on extracted information can be easily defined and scanned against within the UI. The UI also allows scanning in RetroHunt mode to detect attacks performed before signatures had been developed.