C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks
Pages 2531 - 2545
Abstract
Supply chain attacks are potent cyber attacks for widespread ramifications by compromising supply chains. Supply chain attacks are difficult to detect as the malware is installed through trustworthy supply chains, missing signs of infection and making deployed security controls ineffective. Recent increases in supply chain attacks warrant a Zero-trust model and innovative solutions for detecting supply chain attacks. Supply chain malware need to establish a Command and Control (C2) connection as a communication link with the attacker to proceed on the privileged pathway. Discovery of the C2 channel between the attacker and supply chain malware can lead to detection of the attack. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these with associated network activity for early discovery of C2 connection. Proposed framework has introduced a novel approach of detecting C2 over DNS by incorporating host-based activity with corresponding network activity coupled with threat intelligence. C2-Eye integrates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and real time threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the exploitation of C2 channel for probable data exfiltration. C2-Eye has introduced a distinctive featureset with 22 novel features specific to supply chain attack, enabling detection of the attack with F1-score of 98.70%.
References
[1]
Miller JF Supply chain attack framework and attack patterns 2013 MacLean The MITRE Corporation
[2]
Ohm, M., Plate, H., Sykosch, A., Meier, M.: Backstabber’s knife collection: a review of open source software supply chain attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17, pp. 23–43. Springer (2020)
[3]
Datta P Hannibal at the gates: cyberwarfare & the solarwinds sunburst hack J. Inf. Technol. Teach. Cases 2022 12 2 115-120
[4]
Verizon: Verizon data breach investigations report. Tech. rep., Verizon (2019)
[5]
Mirza, S., Abbas, H., Shahid, W.B., Shafqat, N., Fugini, M., Iqbal, Z., Muhammad, Z.: A malware evasion technique for auditing android anti-malware solutions. In: 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 125–130. IEEE (2021)
[6]
Grunzweig, J., Scott, M., Lee, B., et al.: New wekby attacks use dns requests as command and control mechanism. Palo Alto Networks (2016)
[7]
FireEye: FireEye APT28: at the center of the storm. https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf (2017). Accessed 5 August 2023
[8]
Lwowski, J., Corley, I., Hoffman, J.: Neural steganalysis with spatial rich models for image steganography detection (2020)
[9]
FireEye: Fireeye apt 41 report (2019)
[10]
Hawley, S., Read, B., Brafman-Kittner, C., Fraser, N., Thompson, A., Rozhansky, Y., Yashar, S.: Apt39: An iranian cyber espionage group focused on personal information. In: Technical Report. Mandiant (2019)
[11]
Fraser, N., Plan, F., OLeary, J., Cannon, V., Leong, R., Perez, D., Shen, C.e.: Apt41-a dual espionage and cyber crime operation. FireEye Blog (2019)
[12]
Carr, N.: Cyber espionage is alive and well: Apt32 and the threat to global corporations. FireEye Blog (2017)
[13]
Parmar, M., Domingo, A.: On the use of cyber threat intelligence (cti) in support of developing the commander’s understanding of the adversary. In: MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM), pp. 1–6. IEEE (2019)
[14]
Nelson, T., Kettani, H.: Open source powershell-written post exploitation frameworks used by cyber espionage groups. In: 2020 3rd International Conference on Information and Computer Technologies (ICICT), pp. 451–456. IEEE (2020)
[15]
Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, K.K.R.: Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: Apt28, red october, and regin. In: Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies pp. 221–244 (2019)
[16]
O’Leary, J., Kimble, J., Vanderlee, K., Fraser, N.: Insights into iranian cyber espionage: Apt33 targets aerospace and energy sectors and has ties to destructive malware. https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage (2017). Accessed 27 Nov 2023
[17]
Johnson, A.: Domain fronting: making backdoor access look like google requests. https://www.cs.tufts.edu/comp/116/archive/spring2018/ajohnson.pdf (2018). Accessed 25-Novemeber-2023
[18]
Baezner, M.: Use of cybertools in regional tensions in southeast asia. Tech. rep., ETH Zurich (2018)
[19]
Alageel, A., Maffeis, S.: Hawk-eye: holistic detection of apt command and control domains. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1664–1673 (2021).
[20]
Oprea, A., Li, Z., Norris, R., Bowers, K.: Made: security analytics for enterprise threat detection. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 124–136 (2018).
[21]
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: Fanci: feature-based automated nxdomain classification and intelligence. In: 27th USENIX Security Symposium, pp. 1165–1181 (2018)
[22]
Spooren, J., Vissers, T., Janssen, P., Joosen, W., Desmet, L.: Premadoma: An operational solution for DNS registries to prevent malicious domain registrations. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 557–567 (2019)
[23]
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive DNS analysis. In: Ndss, pp. 1–17 (2011).
[24]
Marchal, S.: Dns and semantic analysis for phishing detection. Ph.D. thesis, University of Luxembourg,Luxembourg,Luxembourg (2015)
[25]
Kuyama, M., Kakizaki, Y., Sasaki, R.: Method for detecting a malicious domain by using whois and DNS features. In: The third international conference on digital security and forensics (DigitalSec2016), vol. 74 (2016)
[26]
Korczynski, M., Wullink, M., Tajalizadehkhoob, S., Moura, G.C., Noroozian, A., Bagley, D., Hesselman, C.: Cybercrime after the sunrise: a statistical analysis of dns abuse in new gtlds. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 609–623 (2018).
[27]
Allman, M.: Comments on dns robustness. In: Proceedings of the Internet Measurement Conference 2018, pp. 84–90 (2018).
[28]
Niu W, Zhang X, Yang G, Zhu J, and Ren Z Identifying apt malware domain based on mobile DNS logging Math. Probl. Eng. 2017
[29]
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for dns. In: USENIX security symposium, pp. 273–290 (2010)
[30]
Sivakorn, S., Jee, K., Sun, Y., Korts-Pärn, L., Li, Z., Lumezanu, C., Wu, Z., Tang, L.A., Li, D.: Countering malicious processes with process-DNS association. In: NDSS (2019)
[31]
Iqbal, Z., Anwar, Z., Mumtaz, R.: Stixgen-a novel framework for automatic generation of structured cyber threat information. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 241–246. IEEE (2018)
[32]
Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Real-time detection of DNS exfiltration and tunneling from enterprise networks. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 649–653. IEEE (2019)
[33]
Naab, J., Sattler, P., Jelten, J., Gasser, O., Carle, G.: Prefix top lists: gaining insights with prefixes from domain-based top lists on dns deployment. In: Proceedings of the Internet Measurement Conference, pp. 351–357 (2019).
[34]
Ager, B., Mühlbauer, W., Smaragdakis, G., Uhlig, S.: Comparing DNS resolvers in the wild. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, pp. 15–21 (2010).
[35]
Xiao, D., Li, X., Cline, D.B., Loguinov, D.: Estimation of dns source and cache dynamics under interval-censored age sampling. In: IEEE INFOCOM 2018-IEEE Conference on Computer Communications, pp. 1358–1366. IEEE (2018).
[36]
Hoffman, P., McManus, P.: Dns queries over https (doh). Tech. rep., Internet Engineering Task Force (2018).
[37]
Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: USENIX Security Symposium, pp. 865–880 (2017)
[38]
Spaulding, J., Upadhyaya, S., Mohaisen, A.: The landscape of domain name typosquatting: techniques and countermeasures. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 284–289. IEEE (2016).
[39]
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 conference on Internet measurement conference, pp. 63–76 (2013).
[40]
Maroofi, S., Korczyński, M., Hesselman, C., Ampeau, B., Duda, A.: Comar: classification of compromised versus maliciously registered domains. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 607–623. IEEE (2020).
[41]
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1568–1579 (2016).
[42]
Feibish, S.L., Afek, Y., Bremler-Barr, A., Cohen, E., Shagam, M.: Mitigating dns random subdomain ddos attacks by distinct heavy hitters sketches. In: Proceedings of the fifth ACM/IEEE workshop on hot topics in web systems and technologies, pp. 1–6 (2017).
[43]
Dan O, Parikh V, and Davison BD IP geolocation through reverse DNS ACM Trans Internet Technol (TOIT) 2021 22 1 1-29
[44]
Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive dns traces. In: 2009 Annual Computer Security Applications Conference, pp. 311–320. IEEE (2009).
[45]
Stalmans, E., Irwin, B.: A framework for dns based detection and mitigation of malware infections on a network. In: 2011 Information Security for South Africa, pp. 1–8. IEEE (2011).
[46]
Fukushima, Y., Hori, Y., Sakurai, K.: Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. In: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 352–361. IEEE (2011).
[47]
Chen CM, Huang JJ, and Ou YH Efficient suspicious URL filtering based on reputation J. Inf. Secur. Appl. 2015 20 26-36
[48]
Peng, P., Yang, L., Song, L., Wang, G.: Opening the blackbox of virustotal: analyzing online phishing scan engines. In: Proceedings of the Internet Measurement Conference, pp. 478–485 (2019).
[49]
Alowaisheq, E., Wang, P., Alrwais, S., Liao, X., Wang, X., Alowaisheq, T., Mi, X., Tang, S., Liu, B.: Cracking the wall of confinement: understanding and analyzing malicious domain. In: Proceedings of the 28th Network and Distributed System Security Symposium (NDSS) (2019)
[50]
Ahmed J, Gharakheili HH, Raza Q, Russell C, and Sivaraman V Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts IEEE Trans. Netw. Serv. Manage. 2019 17 1 265-279
[51]
Almashhadani AO, Kaiiali M, Carlin D, and Sezer S Maldomdetector: a system for detecting algorithmically generated domain names with machine learning Comput. Secur. 2020 93 101787
[52]
Hudaib AAZ and Hudaib E Dns advanced attacks and analysis Int. J. Comput. Sci. Secur. (IJCSS) 2014 8 2 63
[53]
Wang Y, Zhou A, Liao S, Zheng R, Hu R, and Zhang L A comprehensive survey on DNS tunnel detection Comput. Netw. 2021 197 108322
[54]
Bai H, Liu W, Liu G, Dai Y, and Huang S Application behavior identification in DNS tunnels based on spatial-temporal information IEEE Access 2021 9 80639-80653
[55]
Lyu M, Gharakheili HH, and Sivaraman V A survey on DNS encryption: current development, malware misuse, and inference techniques ACM Comput. Surv. 2022 55 8 1-28
[56]
Lambion, D., Josten, M., Olumofin, F., De Cock, M.: Malicious dns tunneling detection in real-traffic dns data. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 5736–5738. IEEE (2020).
[57]
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019 (2019).
[58]
Sood, G.: virustotal: R Client for the virustotal API (2021). R package version 0.2.2
[59]
Nowroozi E, Mohammadi M, Conti M, et al. An adversarial attack analysis on malicious advertisement URL detection framework IEEE Trans. Netw. Serv. Manage. 2022
[60]
Pettersson, A., Nilsson, F.: Sysmon–a framework for monitoring and measuring real-time properties (2012)
[61]
Jacobsen, D.: procmon. Tech. rep., Lawrence Berkeley National Lab.(LBNL), Berkeley (2014)
[62]
Lamping U and Warnicke E Wireshark user’s guide Interface 2004 4 6 1
[63]
Wolff ED, Growley K, Gruden M, et al. Navigating the solarwinds supply chain attack Procurement Lawyer 2021 56 2 3
[64]
FireEye: Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor. Tech. rep., FireEye (2020)
[65]
Wong, A.D.: Detecting domain-generation algorithm (dga) based fully-qualified domain names (fqdns) with shannon entropy. arXiv preprint arXiv:2304.07943 (2023).
Recommendations
On the Feasibility of Detecting Software Supply Chain Attacks
MILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the ...
SoK: Combating threats in the digital supply chain
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecuritySupply chain attacks have been a security concern for many years, and their number and severity are expected to continue to grow in the years to come. In the ICT domain, ensuring the integrity of the supply chain is becoming an essential concern, as ...
Towards detection of software supply chain attacks by forensic artifacts
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityThird-party dependencies may introduce security risks to the software supply chain and hence yield harm to their dependent software. There are many known cases of malicious open source packages posing risks to developers and end users. However, while ...
Comments
Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 29 April 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 21 Sep 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in