Partner Login

Chasing Command-and-Control

When companies and organizations started initially trying to determine what was and wasn’t command-and-control (2) on the Internet so they could implement Protective DNS and related solutions, the first and easiest solution was the tried-and-true “allow and deny” lists. It’s a reasonably simple but effective approach – the only question is how best to populate the deny list to ensure that it stays reasonably up-to-date.

Some organizations would detonate malware, and the race would begin to see how quickly they could capture new malware in the wild, detonate it, determine the command-and-control (C2) domain, and add it to their deny list. Others might rely on the ingestion of data feeds – for example, multiple vendors produce a data feed of “newly created domains” and organizations may make policy decisions such as “any domain less than seven days old is on the deny list”. Alternatively, organizations like the FBI and private companies produce regular feeds of “malicious” domains, and some organizations consume these feeds and automatically add everything into the deny list.

Fast But Not Fast Enough

Regardless of how the deny list is populated, the overall strategy hinges on the idea that a given C2 domain can be identified, added to the deny list, and put into production use for a given client before that client encounters malware utilizing that C2. Organizations would focus on ever-faster ways to detonate malware, on the utilization of multiple feeds of malicious domains, on more efficient mechanisms to push updates out to the deny lists for each operational client.

Fundamentally, however, this overall strategy relies on hope. Hope that the new information is learned, and the update is propagated, before a given organization is attacked. Hope that someone else gets attacked, and the new information is learned and propagated before my organization gets attacked. Hope that attackers don’t update and change their C2 faster than the information about the attacker’s C2 can be learned and propagated.

Hope Is Not a Plan

Hope, unfortunately, is not a viable strategy for success. It’s a great start, but it’s not a viable long-term strategy for success, and certainly not one that provides that confidence required to implement a true business and operational resiliency strategy. No one can adequately bet business continuity on hope.

Targeting Adversary Infrastructure Itself

At HYAS, we wanted to take a different approach and look at the problem in a different way. The bad actors are creating their infrastructure themselves, and the registration, creation, and setup of domains requires the use of information and resources.

That means that there should be ways to find correlations, connections, and similarities between, say, two different domains created by the same bad actor. With those similarities and connections identified by looking backwards in time, one can then use the same information to look forward in time, at the new domains and infrastructure being created and used, and understand what is and isn’t going to be used for nefarious purposes even before it is weaponized.

HYAS Adversary Infrastructure Platform

This is the idea behind the HYAS Adversary Infrastructure Platform. The platform continually gathers unique bespoke data across a combination of exclusive, private, commercial, and open-source data sets, and automatically organizes it in a constantly updating graph database.

This graph database captures the connections between nodes (domains being one example), and continual R&D discovers new ways to build connections in the graph database. Fundamentally the graph database maps what has happened, to what is happening, and therefore to what will happen, and with each passing day, the set of data grows, the intelligence expands, and the unique knowledge encapsulated in the HYAS adversary infrastructure platform increases.

Certainty Trumps Hope

With this new approach, the HYAS Adversary Infrastructure Platform automatically already knows whether a new domain is or isn’t going to be used as command-and-control. It doesn’t need to wait for the domain to be weaponized; it doesn’t need to wait for the malware to be launched and for someone to quickly detonate and understand it. The platform knows based on how that new domain fits into the graph database and what else it connects to.

It’s clearly similar to its allow-and-deny list predecessor in that each domain is compared against a list or dataset for a “verdict”; however, the clear difference is that the adversary infrastructure platform does not rely on hope. The underlying graph database knows what is, and isn’t, adversary infrastructure on the Internet, even before the adversary infrastructure may have been weaponized.

Consider how a criminal gang may be identified by law enforcement. They don’t necessarily wait for each individual associate to commit a crime themselves; they identify the crimes being committed and build the set of relationships across all people associated with the gang. It’s the only mechanism that actually scales.

And since it does not rely on hope, it’s a technique and approach that actually provides confidence – confidence that allows you to build a true business and operational resilience program. Confidence that allows you to move business full forward, and ensure that a true business continuity plan exists regardless of what new attack technique or attack vector may emerge tomorrow.

Adversary Infrastructure Platform Glossary of Terms

Adversary Infrastructure Platform - The collection of systems, infrastructure, and processes that a threat actor uses to conduct cyberattacks. Understanding the adversary's infrastructure provides insights into who is attacking you, from where, and how. This enables better targeting of defensive efforts.

C2 Attribution - Using artifacts and patterns in command and control communications to attribute activity back to known adversary groups based on their unique techniques and tactics.

Command and Control (C2, C&C) - The servers used by adversaries to communicate with and control compromised devices in a botnet or other malicious network. Identifying C2 infrastructure allows security teams to disrupt the attacker by taking down their control points. C2 servers are a key part of the adversary's infrastructure platform.

DNS Query - A request sent to a DNS server asking to resolve a domain name into an IP address. Adversaries can send malicious DNS queries to infrastructure like C2 servers. Security solutions monitor DNS queries as part of identifying threats in network traffic.

DNS Records - Define mappings in the DNS directory. Adversaries may manipulate records to hijack domains or redirect connections to their infrastructure for attacks. Security solutions scrutinize records for anomalies indicative of such tampering.

DNS Response Codes - Indicate DNS lookup status, like success, error, or that a domain doesn't exist. Adversaries can fake codes like hijacking NXDOMAIN (non-existent domain) to hide their activities. Monitoring response codes is part of DNS traffic analysis for anomalies.

Domain Age - The length of time that a domain name has been registered and active. Newly registered domains are at higher risk, as cybercriminals often use short-lived disposable domains for campaigns to avoid reputation-based blocking. Checking domain age is part of DNS analysis to identify suspicious vs legitimate domains.

Domain Name System (DNS) - The internet directory that translates human-readable domain names into IP addresses to route traffic. DNS is a core internet infrastructure component that must be secured against adversaries seeking to misdirect connections or intercept information.

Dynamic DNS - Allows dynamically updating DNS records to point domains to changing IP addresses. Often abused by adversaries to frequently shift infrastructure hosting locations. Fully Qualified Domain Name (FQDN) - The complete domain name showing all domain levels. FQDNs provide more context than sole domains for investigations. For example, knowing instead of just can aid DNS query analysis.

GPS IP Location - Using geolocation lookup of IP addresses to identify the physical location of infrastructure like C2 servers. Locations can reveal insights about the adversary.

Host Posture - The security state of an internet-connected system based on signals like known vulnerabilities or malicious connections. Evaluating host postures enhances threat intelligence insights into whether systems appear compromised by adversaries.

Indicator of Compromise (IOC) - Technical artifacts from intrusions that provide clues a broader attack is occurring. IOCs like domain names and IP addresses associated with adversary infrastructure enable threat hunting and blocking.

JARM - A measurement technique developed by Salesforce for identifying malware command and control servers based on their response patterns to simulated DNS redirection queries. JARM is named after the dog of the Salesforce engineer who originally created the methodology. It works by sending C2 servers queries that mimic DNS redirection. The unique responses from different C2 software allow JARM to fingerprint them for tracking and attribution. JARM enables mapping adversary infrastructure and correlating it to known threat actors

Name Servers - DNS servers that resolve domain name lookups. Adversaries abuse their own rogue name servers for redirection attacks and domain hijacking.

Passive DNS - Aggregates global DNS data to uncover relationships and security trends. Passive DNS enhances threat intelligence by revealing connections between infrastructure like domains and IPs. It augments active DNS query monitoring.

Passive Hash - Passively gathering file hashes observed on the internet to build a historical repository. Tracking hash reputations helps identify malware. Useful for attributing malware to adversary groups.

Protective DNS - Proactively monitors live DNS requests to detect and block cyber threats at the DNS level before they reach users. Protective DNS leverages threat intelligence to identify known bad domains, including adversary infrastructure.

Registrars - Companies and organizations that sell and register domain names and maintain associated DNS records. Adversaries may prefer certain registrars with lax policies.

Sinkhole - Rerouting adversary traffic intended for a malicious domain to a monitored sinkhole server instead. Sinkholes disrupt the adversary while enabling research.

SSL Certificates - Digital certificates enabling encrypted TLS connections used to secure internet traffic. Adversaries often use fake/stolen certificates on their infrastructure to emulate legitimacy.

Threat Hunting - The practice of proactively searching through systems to identify and mitigate cyber threats that evaded existing controls. Threat hunters leverage threat intelligence like known adversary infrastructure while hunting on networks and endpoints.

Threat Intelligence - Organized cyber threat data that provides insights for defensive actions. Threat intel includes adversary infrastructure details that feed into solutions like protective DNS. Integrating intel enhances defenses.

Threat Intelligence Platform - A technology solution that enables collecting, analyzing, and operationalizing threat data to support defensive actions such as hunting and blocking threats.

Time to Live (TTL) - A setting in DNS records that defines how long DNS resolvers and browsers should cache the record before requesting an updated copy.

Top-Level Domain (TLD) - The highest level domain name in an FQDN, e.g. .com, .net, .org. TLDs are controlled by global registrars.

Vulnerabilities - Software flaws and misconfigurations adversaries exploit to compromise systems and establish footholds for further attacks. Vulnerability assessments indicate targets the adversary is likely to hit.

WHOIS Records - Public domain name registration records listing owners and other metadata. Adversaries may spoof or hide WHOIS info, requiring further verification of domain legitimacy.

Zone Files - DNS database files mapping domain names to IP addresses for a specific domain zone. Adversaries may compromise these files to manipulate resolution or steal data.

Additional Reading

Why HYAS: The Secret to Cybersecurity Lies In Interrupting and Updating Causation Chains

Attacker Infrastructure: How Hackers Build It and How to Use It Against Them

Cyber Adversary Infrastructure Explained

Critical Infrastructure Attacks: New Rules, New Game

Elevate Your Threat Hunting with JARM

Want to get the upper hand on adversary infrastructure? Contact us to get a complimentary security assessment and learn how to make the switch from reactive to proactive defense.