Standard Application Layer Protocol

Description

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.

Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

Procedure Examples

• HEXANE communicated with command and control over HTTP and DNS.1
• OilRig communicated with its command and control using HTTP requests.2
• BlackEnergy uses HTTP POST request to contact external command and control servers.3
• Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised.4

Mitigations

• Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.

• Network Intrusion Prevention - Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

• Network Segmentation - Ensure proper network segmentation between higher level corporate resources and the control process environment.