Damballa Network Security Checkup

Trend Report
Over 60% of Command & Control Connection Attempts
are Not Blocked By Proxies
If you nd devices inside your network that are communicating with criminal operators,
you can stop data theft. Yet most enterprise security stacks are not designed to detect this
behavior much less automatically block it.
Damballa spotted a trend while conducting Network Security Checkup services from
October 2015 January 2016 that suggests just how wide open the back door is for
criminals. Less than 34% of outbound connection attempts to command and control (C&C)
infrastructure were blocked by rewalls or proxy servers. Said dierently, more than 60%
of the time an infected device successfully called out to a criminal operator.
C&C infrastructure is very complex. Damballa has written many scientic papers on the
subject. Its no surprise that there is a widespread lack of understanding about C&C
techniques, which contributes to the risk of data theft. A study conducted by ESG Research
revealed that 50% of security professionals either arent very familiar with or are not
familiar at all with C&C communication techniques.

34%

Less than 34% of outbound

connection attempts C&C
infrastructure were blocked
by rewalls or Proxy servers.

60%

60% of the time an infected

device successfully called out
to a criminal operator.

50%

50% of security professionals

either arent very familiar
with or are not familiar at all
with C&C communication
techniques.

C&C Primer
Prevention technologies look for known threats. They examine inbound les and look for malware signatures; its more or
less a one-time chance to stop the attacker from getting inside the network.
Attackers have learned that time is their friend. Evasive
malware attacks develop over time, allowing them to
bypass prevention altogether. When no one is
watching, the attack unfolds. Ultimately, an infected
device will phone home to a C&C server to receive
instructions from the attacker.
Communications with C&C can take many forms and
not all paths led to immediate data theft. The infected
device may send a beaconing signal so the attacker
can keep tabs on it. Or, the attacker may push down
new malware les for later use. Without the proper
monitoring, this activity can easily go unchecked.

Infected devices must communicate with

C&C servers to receive instructions.
DAY 1

DAY 28

Device is infected with

malware and waiting
for instructions

Criminal operator sends

instructions to steal data

In a recent report, the UKs Centre for Protection of

National Infrastructure (CPNI) points out that
detecting C&C communications is hard work:
Detection is best achieved by examining communication patterns over many nodes over an extended period rather than microexamination of specic packets or protocol patterns for malware. This is because alerting on specic protocol patterns tends to
generate too many false positives to be useful. Nevertheless, certain aspects of APT behaviour, - especially network reconnaissance
and bulk data exltration can be detected by observing trends over periods of days or weeks to spot unusual patterns.
404.961.7400 | damballa.com

Ready for Some Good News?

If youre properly instrumented to detect C&C communications, you can prevent data theft. Its that simple. Damballa
customers use information we provide about C&C communications to take prescriptive action.
For example:
Update rewall rules to block C&C URLs
Auto-quarantine devices
Block outbound communications to C&C
Determine if data was exltrated
Traditional security assessments, like vulnerability scans and penetration tests, cant detect hidden threat activity; they
only inspect the attack vector. A well-rounded security program must look at attackers trying to get inside the network
as well as infected devices trying to communicate out.

Use Cases

Information about active, hidden infections inside the network is invaluable. Armed with this information, security teams can:
Pinpoint devices actively communicating with threat actors
Understand where prevention tools are falling short
Build a business case for additional security budget
Improve the performance of existing security technology investments

About the Network Security Checkup

Damballas Network Security Checkup (NSC) shows whats happening inside your network and grades your overall
security posture. Our advanced security monitoring system looks inside the network to identify all threat-related
activity, including:
Active threats
Devices communicating with C&C
Malicious les downloaded and executed
Bandwidth usage, and more

About Damballa

Network sensors
covering 5
continents

Protecting
750 million
endpoints

Watching 15% of
global Internet
activity

Machine Learning
systems discover
criminal behavior

Contact Damballa today.

404.961.7400 | damballa.com