Shining a Light on Malware Beaconing
Malware attacks come in many forms, from infostealers to ransomware. Despite their differences, many of these threats share similar tactics, and malware beaconing is one of those common threads. For organizations to protect against these evolving threats, it is important to understand what malware beacons are, the security risks they pose, why they are so hard to detect, and how to protect against them.
How Malware Beaconing Works
When we talk about beacons from a cybersecurity perspective, we are talking about post-exploitation network traffic. In other words, a bad actor implanted their malware on, and gained access to, a corporate endpoint or employee’s personal device. Ideally, the bad actor wants to maintain communication and command and control (C2) over that endpoint. However, firewalls can easily detect this continued network connection, and someone with even a minimum amount of network know-how can potentially spot the network traffic and recognize it as malicious activity. As a result, threat actors use various evasion techniques — like malware beaconing — to hide the activity.
The concept is rather simple: An infected device periodically sends a beacon signal to a C2 server for new instructions, such as to perform a network map, gather and exfiltrate data, or to spread itself to other computers on the network. Beaconing conveniently enables the bad actor to undertake any of these activities remotely, and with a high degree of stealth.
Active Camouflage: How Malware Beacons Stay Out of Sight
Malware beacons are successful because they are extremely hard to detect. In fact, they can be so challenging for cybersecurity teams, we wrote an entire book on how to detect just one type of beacons, popularly known as Cobalt Strike. Malware beacons allow threat actors to camouflage their malicious transfers as various forms of benign traffic, such as HTTPS, the encrypted information transfer protocol seen in daily internet use. Threat actors are also known to disguise their traffic as domain name system (DNS) traffic, also called DNS beaconing. In either case, it is very difficult to sift out illegitimate signals from legitimate traffic.
As troubling as malware beacons are, you can still detect them and mitigate the risk to your organization.
Building a Beacon Detection Program
Building a hunting system for beacon detection is bolstered when organizations leverage the cyber threat intelligence (CTI) lifecycle, in tandem with zero trust network access tools. Here are some of the common phases and critical steps of the lifecycle:
- Planning and direction phase — What are the specific questions you will answer and for which audience? For example, product engineering might ask, “How can we fine-tune EDR to detect beacon payloads?” while data scientists — who want labeled data for training models — may want to know “What features are helpful for training models to classify specific types of beacon payloads and configurations?”
- Collection — This is where we define the scope of where the information will come from and gather relevant data to work with. The list of potential sources is long, and it could require anything from logs to blogs — with key metadata found by researchers including indicators of compromise — to file hashes.
- Processing — At this stage, you organize the collected data and label it, translate it, simplify it, decrypt it, and filter it. You’re getting it ready for an analyst to use.
- Analysis — This is where analysts or other team members go looking for answers to the specific questions your audience needs, as determined in the planning and direction phase.
- Dissemination — Sharing the results may look different for each intended audience. For example, SOC analysts and IR teams are going to want an intelligence product they can parse quickly, and perhaps load into tooling. Executives will require something that is easily understood, preferably in report format, or potentially as a briefing with slides and key findings.
You can learn more about these steps in detail in the complimentary BlackBerry e-book, Finding Beacons in the Dark.
How Zero Trust Network Access Detects Elusive Beacons
In addition to leveraging cyber threat intelligence, organizations should also implement a zero trust network access (ZTNA) framework — ideally one reinforced with artificial intelligence (AI). CylanceGATEWAY™, for example, actively monitors network connections coming from an enabled endpoint — whether it is a mobile device, home computer, or workstation. Based on critical factors such as network activity, frequency of communication, and the number of machines connected to a given endpoint, CylanceGATEWAY develops a risk analysis of the likelihood that an endpoint is being used for C2 beaconing. Here is a brief discussion on how this works, in the video below:
To learn more about the role of ZTNA in protecting against malware beacons, schedule a demo, or download the e-book
to understand more about how Cobalt Strike Beacons work, and how to prevent them from placing your organization at risk.