Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

TL;DR

This survey comprehensively reviews malware command and control techniques, detection methods, and defenses, highlighting recent attack trends, methods for hiding C2 channels, and evaluating current security measures and their limitations.

Contribution

It provides an extensive overview of C2 techniques and defenses, mapping them to security controls and identifying gaps in current practices.

Findings

Recent attack techniques have evolved to evade detection.

Existing defenses have notable limitations in identifying covert C2 channels.

Mapping techniques to security controls reveals gaps in current defenses.

Abstract

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.