Attacker Infrastructure
This knowledgebase article will support a fundamental understanding of:
- A fundamental understanding of Attacker Infrastructure and its key components
- What the meaning of Command and Control (C2) infrastructure is
- Examples of attacks using different pieces of Attacker Infrastructure / C2
- How VulnCheck’s IP Intelligence solution can support teams
While the image of a random man in a black hoodie sitting at a computer with dark green code remains pervasive, the reality of modern cyberattacks is that they parallel legitimate business models. Just as an organization maintains a digital infrastructure and associated technology stack, so do cyber attackers.
Attacker infrastructure includes a wide variety of technologies that mirror the ones everyday IT teams use. From command and control (C2) to proxies, attackers use a collection of components to deploy attacks and steal data. Often, companies and attackers use similar technologies with the primary difference being underlying intent.
WIth insight into attacker instructure, security teams can detect signs of compromise and mitigate risk more effectively.
What is Attacker Infrastructure?
The attacker infrastructure consists of the hardware, software, and cloud assets that malicious actors use to maintain operations. Malicious actors use different technologies to accomplish each phase of an attack. At minimum, attackers incorporate hardware and software components that enable them to:
- Obfuscate their activities
- Send phishing emails
- Redirect users and network traffic
- Deliver payloads
- Remotely control the intended targets
- Protect communications between the cybercriminal group and the rest of the infrastructure
What Are the Key Components of Attacker Infrastructure?
To implement appropriate risk mitigation strategies, security teams need to understand what tools and infrastructure attackers use. As attackers often have a complex, comprehensive technology stack, defenders need insight into how each component may interact with their environment. Common infrastructure components include:
Command and Control (C2) Servers
Attackers use C2 servers to communicate with their targets, deliver instructions and harvest data. C2 servers comes in two forms:
- Centralized C2 Networks: a hub that attackers use to manage malware and monitor compromise devices so they can issue commands, download additional malware, or extract data from victims.
- Peer-to-Peer C2 Networks: a decentralized model that uses a collection of compromised devices operating as both client and server that communicate to execute commands and exchange data.
Unlike the centralized C2 network, a peer-to-peer network can keep functioning after removing individual nodes, making it more resilient to interventions from law enforcement or security teams looking to disrupt the malicious C2 network.
Domain Name System (DNS)
DNS translates an IP address into a human readable name. Malicious actors often use domains, domain names, and subdomains as part of phishing and other attacks in order to mask their infrastructure and fool unsuspecting users. Depending on the attackers’ sophistication and plans, they can either hijack an existing DNS server to prevent security teams from tracing the traffic to them, or configure their own servers so they can control the C2 traffic.
Proxies
Proxies route traffic through multiple network nodes making it difficult for defenders to track and easier for malicious actors to hide their identity and location. Proxies not only add layers of obfuscation, but also allow threat actors to change their underlying IP addresses more easily, further helping them to avoid detection.
Some examples of how attackers use proxies listed by MITRE ATT&CK include:
- Internal proxy: used to control traffic between nodes within a compromised network.
- External proxy: using port redirectors and other techniques to hide where the C2 traffic goes.
- Multi-hop proxy: transport C2 traffic using multiple devices to create a multi-hop proxy chain
Redirectors
Redirectors divert communications that the target sends or receives so defenders have a harder time tracing and shutting down the communications. Malicious actors can often use redirectors for ongoing operational resilience and persistence: If security teams identify a piece of attacker infrastructure, then the attackers can easily take down the compromised device to easily redirect to new infrastructure and continue their operations unhindered.
Relays
Relays are tools that attackers use to intercept communications, typically during a man-in-the-middle (MitM) attack. Attackers can use them in multiple ways, such as poisoning multicast protocols like MDNS, NTBS, or LLMNR, or to intercept and manipulate SMB, HTTP, or RDP traffic.
Serverless
Malicious actors can purchase or configure serverless infrastructure from traditional cloud providers so that security teams have a hard time tracing their activity. Since the functions come from cloud provider subdomains, security teams have a difficult time separating the malicious traffic from the legitimate traffic.
Virtual Private Network (VPN)
VPNs encrypt data-in-transit to prevent unauthorized access. VPNs enable attackers to hide in several different ways, including:
- Making exfiltrated data unusable to anyone else
- Masking their IP addresses to make them harder to locate
- Securing communications between the the C2 and the attacker base
Web Services
Attackers may use various web services to accomplish their objectives. Often, they use the same services that businesses use, like Google and Github, so that they can evade detection by looking like normal incoming and outgoing traffic.
How Does IP Intelligence Mitigate Risks Associated with Attacker Infrastructure?
IP intelligence helps security teams battle against attacker IP address and domain manipulation. Organizations often implement security controls that rely on blocklists and allowlists. For example, firewall rules define the IP addresses that users can communicate with and protective DNS tools block users from accessing malicious websites.
However, DNS fluxing and IP churn can make these lists outdated. With IP intelligence, security teams can keep pace with attackers and block their infrastructures. VunCheck IP Intelligence provides live tracking of attacker C2 infrastructures so that security teams can implement dynamic block lists. Additionally, VulnCheck IP Intelligence includes data from the past 3, 10, 30, and 90 days so that security teams can hunt for historic IP data, even as attackers continuously change the IP addresses to evade detection.
Since VulnCheck is exclusively threat focused, our IP Intelligence makes it easier to block attacker infrastructure and rapidly identify vulnerable systems.