Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
29 lines (15 sloc) 1.63 KB

#Finding C2 in Network Sessions


Identify anomalous network sessions that may indicate command and control (C2) activity

Data Required

Network session data, including IP-to-IP metadata, port use, session length/duration

Collection Considerations

Data can be collected from a variety of systems, including firewalls, NSM sensors (Bro), and SiLK

Analysis Techniques

Stacking, baselining


Identifying network sessions that may indicate C2 activity can be achieved in multiple ways. One of the simplest is to analyze specific types of data associated with network sessions. These include outbound IP-to-IP connections, destination IP address connectivity, destination port use, and session length.

Stacking is a relatively easy way to analyze the data described above. To do this, you want to isolate network data to outbound sessions that happen at the border of your network and stack the number of occurrences for each type or combination of data. For example, to stack IP-to-IP connections, isolate the data to outbound sessions and count the number of unique connections between the source IP (internal host) and the destination IP (external host); for destination port use, isolate the data and stack the number of occurrences of each destination port. In large networks, you may need to isolate the data to specific internal subnets or classes of hosts.

C2 can appear anywhere in the stacked results, but as a start, it may be useful to investigate activity that appears at the top or bottom of the result set-- these top and bottom outliers represent anomalous data and may be C2.

More Info

None at this time.