[Dailydave] Command And Control

Moses Frost moses at moses.io
Thu Mar 26 02:41:34 UTC 2020 

As I sit here in my pseudo shelter in place status about 40 miles north of
you, I am releasing all of my long held thoughts of the past as I mindly
remote work in front of a WebEx/Zoom/Slack/GoToMeeting/etc hoping to
contact with actual lifeforms one day outside of the few that I live with.
While all this is happening I was mulling over the realization of a few
things.

1. The biggest threat to an organization happened during the big migration
from work at work to work at home where everything was systematically in
flux and chaos giving attackers an easy way to migrate over to at home
workstations or other environments since everyone's baseline is now
effectively null in void. I wonder how many people just started putting
document for the first time in authorized areas because... reasons? How
many of those terminals suddenly VPNed causing new and systematic 'ignore
buttons' to go off when the network analysis tools suddenly adjust from
NOTHING TO SEE HERE over to OMG ALERT!
2. The biggest threat is to an attacker who may right now be sitting on a
workstation beaconing because everything may be really damn quiet in places
where people just left computers running. I hope people to set their beacon
intervals to 3 months while we try and eventually get back to work, or it
may actually be easy to spot that network beacon....
3. The next biggest threat to an organization will occur when people
chaotically and haphazardly resume work back in the office and try to
retain the good parts of remote work. The resumption of work will reset all
of the network analysis tools logarithmic settings back to probably what
they were months ago, but computers are algo's can forget and everything
will suddenly be exfil and attack. Possibly the time in which you will now
'learn' that actual C2 is now good and normal traffic.

Just some food for thought. As for how C2 is hard, I go back to a
conversation I had with my kid when we talked about the art of passing
notes in class, as your kids get older you will have these fun
conversations im sure. The actual answer however was simple, you can always
use the comment threads in a weird section of the internet like the
comments for the amazon product of 1500 ladybugs to pass a note in one
direction and receive the note in a cat butt tissue holder. Engineers did
what we thought impossible, multiplex all legitimate network comms over 443
so that ports are irrelevant and reading network comms become damn
impossible. Maybe blockchain can fix it.

You can do the research on the products. +1 will do again.

@mosesrenegade

On Wed, Mar 25, 2020 at 4:10 PM Dave Aitel <dave.aitel at gmail.com> wrote:

> I just listened to a webinar on threat hunting. It's a thing you can do.
> Anyways, at one point the presenter talked about how he really preferred to
> threat hunt by looking at network protocols for threat hunting, and he
> focused on beaconing and C2.
>
> Every time someone says that, I flash back to this amazing post from
> BitDefender, which is about how Flame did C2 over USB.
> https://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
>
> On the other side of things, Turla's Sat-spoofing blind TCP hijacking C2
> is...a work of art. There's no other way to say it.
> https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
>
> That's the top tier, in my book, of offensive teams making cool statements
> about how big their brains are by designing C2 protocols that got used in
> the wild. I like to think INNUENDO's "actually use Outlook-MAPI to exit
> corporate networks" is quite good as well, but I'm biased, of course.
>
> Alex Stamos's best talk goes into some of the issues about why detecting
> network C2 is hard, but I think "Protocols are increasingly complex, in the
> sense that the Delta of the Delta brings pain in a way nothing else can"
> sums it up nicely. (https://youtu.be/2OTRU--HtLM?t=1674 27 minutes in).
>
> That doesn't mean that it's not worth TRYING to do massive statistical
> analysis of your network data, but it may have diminishing returns (like a
> 401k!).
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20200325/95eea20a/attachment.html>

More information about the Dailydave mailing list