Unraveling command and control, part 2: Detection and prevention

Hi, all! Keeping our promise of bringing you the second and final part of the part of the command and control (C&C) series, we're back. Last time, we shed light on the following key topics:

• What are command and control tactics?
• Techniques used by adversaries to get into the network
• How does command and control work?

In case you want a quick brush up these, or missed it, you can find the blog here.

In the second and final part of this series, we'll delineate on the indicators of compromise (IoCs), discuss some of the best practices against them, and learn how an effective SIEM solution can help in their detection.

Let's get started folks!

Common indicators of compromise

Here are some of the common IoCs which organizations can watch out for in their network:

• Aberrant domain name request
• Abnormal volume of DNS
• Unnecessary applications in systems
• Increased processor usage
• Unauthorized use of encryption in the network

Detection and prevention again command and control using a SIEM solution

A SIEM solution like ManageEngine Log360 can help organizations detect and respond to the IoCs of a C&C effectively with its various comprehensive modules. Here are a few of the ways this is achieved:

1. With the UEBA capabilities of Log360, the solution monitors critical endpoints for indicators of a data exfiltration attack.
2. Monitors both inbound and outbound traffic and create alerts to notify the concerned teams whenever any communication is initiated from a suspicious source. (See Figure 1)
3. Blocks USB ports on detecting malevolent behavior and prevents data exfiltration to external devices.
4. Identifies and flags any communication with a malicious source with its advanced threat intelligence capability. Upon detection, response workflows can be automated for immediate remedial actions.
5. Detects and notifies if any obnoxious DNS tunneling tools are used in the network. (See Figure 2)
6. Monitors the network logs with the help of threat intelligence feeds to identify any blacklisted IPs, URLs, and domains.

Figure 1 shows alerts on detected malicious sources.

Figure 2 shows DNS Tunnel report.

To prevent your network from becoming a victim of an attack like C&C, it is crucial for your organization to have a SIEM solution in place to correlate activities across the network and take preemptive measures to mitigate attacks.

Try a free, 30-day trial or schedule a personalized demo to fully evaluate how a SIEM solution like Log360 can bolster your organization to defend against various cyberattacks, including command and control.