Professional Documents
Culture Documents
Trend Report
Over 60% of Command & Control Connection Attempts
are Not Blocked By Proxies
If you nd devices inside your network that are communicating with criminal operators,
you can stop data theft. Yet most enterprise security stacks are not designed to detect this
behavior much less automatically block it.
Damballa spotted a trend while conducting Network Security Checkup services from
October 2015 January 2016 that suggests just how wide open the back door is for
criminals. Less than 34% of outbound connection attempts to command and control (C&C)
infrastructure were blocked by rewalls or proxy servers. Said dierently, more than 60%
of the time an infected device successfully called out to a criminal operator.
C&C infrastructure is very complex. Damballa has written many scientic papers on the
subject. Its no surprise that there is a widespread lack of understanding about C&C
techniques, which contributes to the risk of data theft. A study conducted by ESG Research
revealed that 50% of security professionals either arent very familiar with or are not
familiar at all with C&C communication techniques.
34%
60%
50%
C&C Primer
Prevention technologies look for known threats. They examine inbound les and look for malware signatures; its more or
less a one-time chance to stop the attacker from getting inside the network.
Attackers have learned that time is their friend. Evasive
malware attacks develop over time, allowing them to
bypass prevention altogether. When no one is
watching, the attack unfolds. Ultimately, an infected
device will phone home to a C&C server to receive
instructions from the attacker.
Communications with C&C can take many forms and
not all paths led to immediate data theft. The infected
device may send a beaconing signal so the attacker
can keep tabs on it. Or, the attacker may push down
new malware les for later use. Without the proper
monitoring, this activity can easily go unchecked.
DAY 28
Use Cases
Information about active, hidden infections inside the network is invaluable. Armed with this information, security teams can:
Pinpoint devices actively communicating with threat actors
Understand where prevention tools are falling short
Build a business case for additional security budget
Improve the performance of existing security technology investments
About Damballa
Network sensors
covering 5
continents
Protecting
750 million
endpoints
Watching 15% of
global Internet
activity
Machine Learning
systems discover
criminal behavior
404.961.7400 | damballa.com