Security Think Tank: Combine tech, process and people to block malware comms

Source: Vsoft, 04/11/2018

Command and control (C&C) in the world of cyber attacks involves
malware calling out to a central server under the attacker’s
control to signal its presence. The server can remotely control
this malware to initiate an attack, maintaining a communication
link and sending execution instructions to compromised devices
when desired.
The cyber kill chain (developed by Lockheed Martin) models the
process that attackers go through to achieve their ultimate goal
of data exfiltration or system compromise.
It comprises seven stages: reconnaissance; weaponisation;
delivery; exploitation; installation; command and control; and
actions on objectives. Malware is sent and installed on devices
through stages 3, 4 and 5, while stage 6 sees attackers taking
control of the malware and issuing instructions.
Some of today’s more sophisticated cyber attacks successfully
compress the early stages (1 to 5), making stage 6 â€` command and
control â€` easier to get to. Furthermore, attacks frequently
involve multiple command-and-control servers, making it
increasingly difficult for security analysts and automated systems
to detect and respond to this stage of the chain.
Given that an attacker is so close to achieving their desired
objective â€` delivering stage 7 of the cyber kill chain â€` it is
imperative that they are stopped from accomplishing command and
control in stage 6, the penultimate stage. Remembering that
security is not a product, but an approach combining technology,
process and people, addressing command and control should be
considered in these buckets.
There is no single technology product to prevent an attacker
getting through stage 6 of the cyber kill chain. Combinations of
products are needed, and it is the combined picture that will help
a security analyst spot that C&C is being attempted.
Examples of technology products include network monitoring and
traffic analysis, network intrusion detection system (NIDS),
threat intelligence platforms, honeypots, network intrusion
prevention system (NIPS), and user and entity behaviour analytics
(UEBA).
Process security controls can include ensuring that users, systems
and devices only have access to what is required â€` commonly
referred to as “least privilege”. This can help limit what an
attacker can do when they have obtained a user’s credentials
during the cyber kill chain.
You should also look out for escalation of privileges. Consider
investigating a zero-trust approach, where a user is required to
authenticate and be authorised for each application being used,
rather than having blanket access from network log-in.
Furthermore, perform regular scanning of networks and systems â€`
this is a three-way security control (people and technology, as
well as process) â€` to pick up anomalies, such as sleeping malware.
Security analysts add a crucial layer of people to the technology
and process security controls. For example, they will review
alerts from automated systems, designed to pick up unusual or
suspicious activity that might indicate malware calling out to a
central server.
We are seeing increased levels of automation in security products
and processes â€` this is positive news, freeing up hard-pressed
security analysts to investigate the highest priority alerts,
including those that have progressed significantly through the
cyber kill chain.
Focusing on stage 6 of the cyber kill chain recognises that
sometimes stages 1 to 5 cannot or will not be addressed. This
indicates that some organisations have moved beyond a tick-box
methodology and are instead moving towards an approach to
addressing overall cyber security and digital risk.