Implementing cost-effective cyber security (part 2 of 2)

This post continues on the theme that began in yesterday's post: Implementing cost-effective cyber security (part 1).

One characteristic of command and control channels is permanence. Setting up a monitoring system is fairly simple: the goal is to find all permanent TCP connections between an internal network address A and en external address B. The TCP connection does not have remain constant but the endpoints do.

As this involves analysing solely traffic, the communication channel cannot be hidden by using encryption. Monitoring often uncovers not only malware but also unauthorised solutions that bypass security policies such as unauthorised VPN or SSL/TLS tunnels.

Find out how data is smuggled out

C&C channels can also utilise other protocols in addition to TCP.  ICMP protocol echo and echo-reply are often allowed for diagnostic purposes. These packages can also transport data.  The normal reply to a ping is a package with identical data content.  By checking the logs for ping pairs with differing data content it is possible to find the C&C channel for malware or a channel built for smuggling out stolen data.

DNS queries can also be used as a C&C channel. Check DNS queries for queries with either an unusual large amount of data or high entropy data. Even a large number of DNS logs can be filtered so that only queries that deviate from the norm are selected for closer study.

All of the above-mentioned methods will also produce false positives, ie. hits that are not malware. And it's also likely that some sophisticated malware will go undetected. However, it's possible to weed out the false positives with a fairly small amount of effort.  The fact that some malware will go undetected is no reason to forego monitoring altogether: it is cost-effective and certainly better than doing nothing at all.

The author, Pekka Viitasalo, works at Nixu as a leading consultant on the Adaptive Solutions Team with cost-effective cyber security as his motto.