Command-and-control (C2) attacks are bad news for any organization. Attackers use C2 servers to communicate with their malware programs from remote locations. These communications, known as malware beaconing, can be difficult to detect. Unfortunately, legacy intrusion detection systems (IDS) are not capable of identifying these subtle attack signals that happen over a length of time.

While IDS has been proven effective at detecting multiple threat types, and can even detect known C2 domains after an explicit rule has been written, it just isn’t able to detect previously unseen C2 servers or the signals they use to communicate with malware. An organization would need to use additional tools to find this kind of network traffic, or else look into replacing their IDS with a different network security solution.

What are Malware Beacons?

Malware beaconing is when malware communicates with an attacker's command-and-control (C2) server to receive new instructions or tasks to complete on a target machine. Attackers configure the frequency and method of these communications with the goal of hiding them in seemingly normal network traffic.

HTTP/S, DNS, SSH, and SMTP, in addition to cloud services like Google or Dropbox are common protocols for beacon communications. Basic malware beacons will transmit data at regular intervals, which is not overly difficult for most systems, but sophisticated evasion techniques like low frequency, randomized communications or varied communication channels can cause beacons to be missed.

Beacons themselves are not actually harmful to a system, but the instructions they contain that are passed on to malware present in the target machine can lead to data breaches, stolen information, or ransomware attacks. In order to effectively detect malware beacons, a network security system needs to use sophisticated computing methods to analyze traffic over time while searching for anomalous traffic behavior.

Why can't IDS detect malware beacons?

Intrusion detection systems (IDS) perform threat detection by monitoring packets and flows in the network and comparing them to predetermined attack patterns known as signatures or rules. These signatures have to be configured to specific data or patterns that are known threat signals or untrusted protocols. When attack patterns are known a rule can be written and added to the IDS deployment.

This means that IDS can detect specific types of malware or command-and-control servers, assuming that those sources are already known and the corresponding rules have already been written. When the C2 server has never been seen before or the malware has already found access into the target system, IDS has no way of detecting its presence. When this happens, the best way to locate the threat and block the servers access is to identify their communications and then trace the source and destination.

The main reason IDS cannot detect malware beaconing communications is because they happen over time. IDS signatures happen on a single packet flow at a single moment in time. Detecting beacons requires aggregate data which must then be analyzed to look for regular frequencies or suspicious behaviors. IDS just doesn’t have the ability to track these changes and conduct the analysis needed to identify these low volume attack signals.

How can malware beacons be detected?

Every beacon functions the same from a fundamental standpoint. The amount of data being transmitted in every request and response is preconfigured, and the intervals at which the malware calls home is regular regardless of the frequency. Even with randomized frequencies, called jitter, beacons follow a pattern. And patterns, however randomized, can be identified using the right technology.

Detecting these patterns requires machine learning and computational logic. The system needs to be able to look at TLS, SSL, or HTTP/S traffic over a span of time, detect and exclude frequent items (which is likely normal, safe traffic), and then take statistical measurements of the remaining traffic to determine the likelihood of those communications being a malware beacon.

Some legitimate communications could exhibit beaconing patterns, so it is important that the beaconing detection engine cross checks the SNIs of that traffic with a list of known servers and then deprioritizes those communications to avoid false positives. By continually analyzing various pieces of flow data (packet size, jitters, standard deviation, repetition, etc) a machine learning algorithm will be able to identify patterns that signal possible beacons and then aggregate that information towards a specific IP or JA3S for further analysis.

Conclusion

IDS is great at explicit detection, but it is only one piece of the puzzle when it comes to creating a more well-rounded network security strategy. To ensure your organization is able to locate low-volume attack signals like malware beaconing, it might be time to consider filling the gaps left by your IDS deployment.

Stamus Security Platform (SSP) is a broad-spectrum and open network detection and response (NDR) system that provides response ready threat detection from multiple sources — machine learning, behavioral anomalies, stateful logic, and IDS signatures. To learn more about SSP’s unique malware beaconing detection, read our article “Threats! What Threats? Malware Beacons and Stamus Security Platform”.