8 hours 28 minutes

Video Transcription

hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at custom command and control protocols, so today's objectives are as follows we're going to be looking at describing for you custom command and control protocol. As it's laid out in the minor tech framework,
we're going to squeeze
a piece of malware or common command and control tool in the middle. We'll talk mitigation techniques and detection technique as well. So let's go ahead and jump right in
custom command and control protocol as laid out in minor threat, actors made communicate using Custom C to commanding control protocols instead of using existing standard application layer protocol.
This can include using raw sockets on top of fundamental protocols provided my TCP i P or another standard network stat.
Now, an example of this is Nyad, which is a Trojan used by elder would to open a backdoor uncompromised hosts. Campaigns with Nyad may be traced back as early as 2010 nyah drops files that make registry changes align. It's different components to launch automatically.
Port 443
is used to create a backdoor where instructions can be issued to launch attacks and upload collected files. So that is just one of many examples of some custom command and control software that is being used out there right now.
Mitigation techniques for command and control traffic can include things like filtering network traffic to look for odd protocols. So things that are out of the norm nips or network intrusion prevention can be used to stop comin attacks and look for indicators of compromise. Which will this system will automatically block some of those attempts
and then use of network segmentation to slow Attackers down or to keep critical systems separate from other network systems In this type of limitation, again just makes it that much harder for through an actor to move through the network and not be detected.
Detection techniques can include things like reviewing ICMP messages and other protocols. Again, looking for abnormal data sets again packets that are abnormally sized or perfectly spaced out and chopped up into maybe similar sizes across a period of time.
But you would have to again have a good baseline there and understand how your network
communications are looking on a day to day basis to be able to do a comparison and potentially find this anomalous traffic.
Now let's do a quick check on learning
command and control protocols. Allow end users to remotely control their systems.
All right, well, if you need additional time, please pause the video. In this instance, command and control protocols allow threat actors to remotely control in user systems. So in this case, this is a false statement.
Command and control protocols are not coming used by end users to control their systems.
So let's go ahead and jump into our summary for two days discussion. We describe custom commanding control protocol as far as how it looks in the minor attack framework. We squeezed in a tool named Nyad and just looked at its capability at a very high level. We looked at mitigation techniques such as network intrusion prevention, too.
Stop some of these attack attempts
and we looked at detection techniques such as reviewing uncommon ICMP traffic or ways in which that traffic could be manipulated again, keeping in mind that you have to have a general awareness of your network and the types of traffic it produces to really make this beneficial.
So what? That I want to thank you for your time today and I look forward to seeing you again.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica