Advanced C2 Fingerprinting

The growth of the digitalized world has increased with the number of malicious actors. Cybercrime is now organized like structured companies, with human resources, developers, operators and executives. On the other hand, public and private organizations have a lot of exposed IT infrastructures, often with sensible assets, security flaws, and with little or zero knowledge about the risks. With such an attractive business, cybercrime incidents occur on a massive scale every day. Even after global law enforcement interventions, the phenomenon has not significantly decreased. For these reasons, it became necessary to build equally structured cyber defense measures, to stop these attacks as soon as possible. Among the several methods of countering compromise, those related to cyber threat intelligence are growing in importance. The work proposed here is a new way to standardize the Command and Control (C2) fingerprinting, an intelligence technique used to proactively detect and negate communications with malicious servers. Historically, it is concerned with identifying cyber attacks, running on local endpoints, in the Command-and-control phase, when the adversary operating infrastructure communicates with the victim hosts for Post-compromise activities. In recent times, however, C2 fingerprinting has been applied to the entire cyberspace of the Internet. Research has already shown that it can have a crucial impact on protecting hosts. Despite having been developed several methods to obfuscate C2 infrastructures, the IP of the servers must be present on the Internet, and at least with one publicly accessible service for communications. Starting from this fact, the researchers began to outline the common characteristics of these servers. Relying on some cyberspace search engines, they proved that it is possible to hunt the Internet looking for malicious hosts. However, the time spent manually probing the Internet is often far from being negligible. In addition, there are new command and control boards emerging day by day, many features to compare by hand, and small-time windows for more in-depth investigations. These are just some of the limitations of the actual C2 fingerprinting technique. Here it's proposed a new approach to overcome such constraints. The aim was to bring order to a confusing and mostly practical coverage of the subject. From this perspective, the C2 fingerprinting process has been split into eight well-defined phases. Each phase tries to define standard logic to follow and a support nomenclature. The common thread is to design every aspect to be automatable, for instance by replacing human assessment of C2 server characteristics with a simple but effective mathematical formula. Just a basic implementation of this approach has shown very promising results. The Proof of Concept developed showed how it is possible to automate, expand and classify the hunting of C2 servers. By linking various systems, such as cyberspace search engines and intelligence feeds, to a framework with aggregation and query capabilities, it was possible to trace more than a hundred C2 families at the time of writing. The practical results produced, i.e. lists of IP addresses associated with one or more command and control servers, can be integrated within cybersecurity environments with different purposes and levels of awareness.