English
Contact Us

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

Reveal(x)

The industry's only network detection
and
response platform that delivers the
360-degree
visibility needed to
uncover the cybertruth.

Deployment Model

SaaS-Based Solution >

On-Premises Solution >

Security

Network Detection and Response >

Intrusion Detection System >

Forensics >

Performance

Network Performance Monitoring >

Forensics >
caret-left Back

Solutions

Learn More

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Community

Cybersecurity Services

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Work With Us! Become a Partner

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

Events & Newsroom

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

Contact Us

caret-left Back

Events & Newsroom

Get the latest news and information.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories & Case Studies

Ransomware Attacks in 2021: A Retrospective

Cyberattack Glossary

Network Protocols Glossary

Documentation

Firmware

Training Videos

C2 Beaconing: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

C2 Beaconing

What is C&C Beaconing?

Command-and-control (C&C or C2) beaconing is a type of malicious communication between a C&C server and malware on an infected host. C&C servers can orchestrate a variety of nefarious acts, from denial of service (DoS) attacks to ransomware to data exfiltration.

Often, the infected host will periodically check in with the C&C server on a regular schedule, hence the term beaconing. This pattern can differentiate it from normal traffic because of the regularity of intervals. But beaconing on common ports and protocols (such as HTTP:80 or HTTPS:443) often obscures malicious traffic within normal traffic and helps the attacker evade firewalls. Another evasion tactic, notably used by SUNBURST, involves waiting long, randomized periods of time before communicating.

What are Botnets?

Botnets are a group of hosts infected by malware and controlled by a C&C server (though a C&C server can control things other than botnets). Those hosts can be computers, IoT devices, smart phones, or other internet-connected technologies. Beaconing is just one type of communication used between botnets and the bad actor controlling them.

Examples of C&C Beaconing

DNS Beaconing

A compromised host makes regular DNS requests to a domain belonging to an attacker-controlled DNS server, allowing the attacker to respond to the request, hiding commands within the DNS response.

SSH Beaconing

Attackers may hide C&C communication within SSH communications, making it harder to discern from legitimate traffic.

HTTPS Beacon

Hiding C&C communications in HTTPS makes it harder to detect because many security tools cannot decrypt it and can only see the traffic destination. If a trusted cloud service is hijacked for the C&C server, the communication can fly under the radar—camouflaged as legitimate traffic.

Protection Against C&C Beaconing

Preventing malware in the first place can stop beaconing before it begins. Inevitably, threats will get inside the walls, making a second line of defense necessary.

These beacons signal C&C servers on a regular schedule. Security tools can look for patterns in the timing of communications (such as GET and POST requests) to detect beaconing. While malware attempts to mask itself by using some amount of randomization, called jitter, it still creates a pattern that is recognizable—especially by machine-learning detections.

Some options to mitigate C&C activity if beaconing is detected on a device:

  • Remove or disable any extraneous applications, services, and daemons on the device
  • Quarantine the device while checking for indicators of compromise, such as the presence of malware
  • Block inbound and outbound traffic from suspicious endpoints at the network perimeter
  • Implement network segmentation and the principle of least privilege on accounts to minimize the damage caused by a compromised device

C&C Beaconing History

In order to listen for beaconing (and control their botnets) bad actors used to have actual physical devices that functioned as C&C servers, but now they are more frequently ephemeral servers hidden within legitimate services. One tactic is to create a server within a legitimate cloud service. That way, the destination on outbound traffic will be an unsuspicious service.

Notable Botnets

Trickbot, first reported in 2016, is both a type of malware and a pervasive botnet sold as Malware-as-a-Service (MaaS). It uses email spam to take control of computers and is thought to be one of the most financially damaging botnets.

ZeuS, first seen in 2007, is perhaps the largest botnet with over 13 million infected hosts. It began as a banking trojan which at one point was responsible for 90 percent of all online bank fraud in the world.

Emotet, first reported in 2014, began as a banking trojan before evolving into both a botnet and a vehicle for getting other malware past defenses.

Related Reading

Learn More About Threat Detection Strategy

Learn More