Using common protocols and services for C2 allows adversaries to masquerade as normal network traffic and hence evade firewalls. Some of the common protocols used for C2 are HTTP/S, DNS, SSH, and SMTP, as well as common cloud services like Google, Twitter, Dropbox, etc. The frequency at which the malware checks in and the methods used for the communications are configured by the attacker. In the context of malware, beaconing is when malware periodically calls out to the attacker's C2 server to get further instructions on tasks to perform on the victim machine. In networking, beaconing is a term used to describe a continuous cadence of communication between two systems. An increasingly common method being used by adversaries nowadays to evade detection is to use C2 beaconing as a part of their attack chain, given that it allows them to blend into networks like a normal user. Malware however, enters enterprises in many different ways and uses a variety of techniques to go undetected. who work round the clock to keep the organization secure. Beaconing - A primerĪn enterprise's defense is only as good as its firewalls, antivirus, endpoint detection and intrusion detection capabilities, and SOC (Security Operations Center) - which consists of analysts, engineers, operators administrators, etc.
#Beacon effect stack trial
If you don’t have an Elastic Cloud cluster but would like to try out our beaconing identification framework, you can start a free 14-day trial of Elastic Cloud. The framework can not only help threat hunters and analysts monitor network traffic for beaconing activity, but also provides useful indicators of compromise (IoCs) for them to start an investigation with. In this blog, we talk about a beaconing identification framework that we built using Painless and aggregations in the Elastic Stack. So, while we are not quite "left of boom" by detecting C2 beaconing, we can make a big difference in the outcome of the attack by reducing its overall impact. This allows defenders to disrupt or evict the threat actor before they can achieve their objectives. The potential for beaconing detection is that it can serve as an early warning system and help discover novel persistence mechanisms in the initial hours or days after execution. Could we then have detected SUNBURST in the initial hours or days by finding its C2 beacon?
![beacon effect stack beacon effect stack](https://inhabitat.com/wp-content/blogs.dir/1/files/2013/04/Kaust-Beacon-UAP-9-660x440.jpg)
It can often be challenging and time-consuming to identify persistence mechanisms left by an advanced adversary as we saw in the 2020 SUNBURST supply chain compromise. When structured threats use zero-days, these first two stages are often not detected. The early stages of an intrusion usually include initial access, execution, persistence, and command-and-control (C2) beaconing.