Analyze network traffic to gain intelligence on communications between systems.
Network analysis can be an automated or manual task to review communications between systems to expose adversary activity, such as C2 or data exfiltration traffic. This analysis is normally done by capturing and analyzing traffic on the wire or from previously collected packet capture.
When custom protocols are in use, defenders can leverage protocol decoder frameworks. These are customized code modules that can read network traffic and contextualize activity between the C2 operator and the implant. These frameworks are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret. Decoder creation requires malware analysis of the implant to understand the design of the protocol. While a high level of technical maturity is required to create such a decoder, once created they are invaluable to the defender.
For example, a defender can use a protocol decode to decrypt network capture data and expose an adversary's C2 or exfiltration activity. Not only does this data provide exquisite intelligence in regard to the adversary's communications channels and targeting preferences, but it also provides future opportunities for data manipulation to further operational goals.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Exfiltration||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior|
|Command and Control||When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity.|
|Collection||When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task|
|Command and Control||When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities|