By On April 7, GreyNoise Intelligence introduced Command and Control (C2) Detection, a new intelligence module that unlocks insights about cyber attack behavior, based on information contained in outbound network traffic logs. C2 Detection empowers security teams to detect active compromise earlier, prioritize response based on attacker progression, and accelerate investigation by surfacing malware hashes and family classifications tied to confirmed callback infrastructure.
“Edge devices have become the most targeted assets on the internet, and the industry’s visibility into what happens after they’re compromised has been dangerously limited,” said Ash Devata, CEO, GreyNoise Intelligence. “GreyNoise has always been one of the most authoritative sources on inbound network threats. With C2 Detection, our customers can not only identify who’s probing their perimeter, but whether a device is already compromised and who it’s phoning home to.”
Cyber adversaries frequently attack edge devices to exploit known vulnerabilities and gain access. GreyNoise utilizes the world’s most sophisticated deception network of over 5,000 sensors in 80 countries to observe internet traffic and can determine whether activity is malicious in intent based on certain behavioral characteristics and patterns. In cases where an IP is attempting to initiate a download of malware onto a network, valuable insights can be found in the network’s outbound traffic log, since compromised devices often call out to C2 servers to receive additional instructions. This information can provide valuable insights to help security teams determine whether their perimeter has been breached.
Powered by GreyNoise’s callback IP intelligence and malware hash data, C2 Detection provides post-exploitation, outbound-facing threat intelligence by surfacing active compromise through outbound communication with attacker-controlled infrastructure. It provides an end-to-end overview about how attacks actually work, including what payloads were delivered, what binaries were downloaded, which external servers were used for Command and Control, and what commands and behaviors were associated with those sessions.
By matching outbound egress traffic against a continuously updated dataset of confirmed malware-hosting IPs and C2 infrastructure, C2 Detection produces a signal that indicates exactly how serious each match is. Security teams can use this dataset of ‘phone home’ addresses that compromised devices communicate with for potential breach detection via outbound telemetry by matching it against their outbound logs. If an internal device has been communicating with malicious IPs, there is a high degree of likelihood that the device has been compromised.
“With C2 Detection, GreyNoise is effectively closing the visibility gap at the edge of the network,” said Corey Bodzin, chief product officer, GreyNoise Intelligence. “Up until now, security teams have had a structural blind spot on post-exploitation activity, especially on edge devices like firewalls, VPN concentrators, and internet-facing IoT. These are now the most actively exploited assets on the internet, but Endpoint Detection and Response (EDR) can’t be run on them, and their native telemetry is often too sparse to detect callback behavior. Our research shows that millions of edge devices are already infected and silently calling out to malware-hosting servers, C2 nodes, and associated file hashes. C2 Detection surfaces that activity, and empowers security teams to take action faster.”
Source: GreyNoise
Your competitors read IC News each day. Shouldn’t you? Learn more about our subscription options, and keep up with every move in the IC contracting space.
