Targeted attacks are typically remotely orchestrated via C&C communications between the infiltrated systems and the attackers themselves. Advanced malware used for an attack will "call back" for additional downloads and new instructions. Throughout the attack, the perpetrators will also use this channel to open and manipulate backdoor network access to discover and exfiltrate their targeted data.
Identifying and responding to C&C communications is a critical factor in detecting a targeted attack, but unlike large-scale botnets, the intermittent and low-volume APT C&C traffic is difficult to detect. And the attackers don't make it easy, attempting to hide C&C traffic with techniques such as changing and redirecting addresses, using legitimate applications and sites as the conduit, and even setting up C&C servers within a customer's network.
"Most security vendors lack the expertise, scale, technology and resources to reliably identify the various types of C&C. And when their web, messaging or endpoint products do detect a C&C, it's likely to be simply blocked or logged without notice – the same way any minor event is handled. So in most cases, the organization never knows that it may be under a serious targeted attack," Steve Quane, chief product officer at Trend Micro.
Enterprise security teams need to reliably answer these critical questions:
- Is there C&C activity on my network?
- Is it a simple botnet or a possible targeted attack?
- How risky is it? Where and whom is it from?
- Should I immediately block and remediate or monitor it further?
How it works
The Trend Micro Smart Protection Network automatically identifies active C&C sites worldwide based on daily processing of 12 Billion IP/URL inquires and the correlation of over six Terabytes of data. Its correlation engines keep up with the changing nature of C&C addresses, and it employs the latest innovations from Trend Micro's 1200 threat researchers to continually detect all evasive measures taken by attackers.
The company's threat researchers also collect and examine the forensic evidence of attempted targeted attacks over the tens of thousands of Trend Micro enterprise customers worldwide. Peeling back the layers of an attack, they gain further insight into C&C, malware, and attacker techniques, driving constant improvement in the Smart Protection Network and Trend Micro products.
Trend Micro Deep Discovery uses customer-specific threat detection to discover advanced malware, communications and attacker activities at the network level. "Fingerprint" detection of cloaked C&C traffic can identify attackers' use of legitimate applications and websites, as well as other advanced techniques such as the use of internal C&C servers. Deep Discovery custom sandbox analysis can also discover new C&C destinations of zero-day malware attacks and update the Smart Protection Network and all customer security protection points.
The latest global and local C&C detection information powers Trend Micro enterprise security products at the endpoint, server, network, gateway, and messaging protection points to identify and control C&C activity across the customer environment.
C&C detection at any point is clearly identified on a centralized console, alerting the security team and allowing them to control the course of action. C&C risk assessment, containment and remediation are aided by Threat Connect intelligence on the severity, activity, origins and related addresses of the C&C site – helping to determine whether the communication represents a high risk, whether it should be immediately blocked, and how the containment and remediation should proceed.