Trap p ing and coercion These missions attempt to compel latent attackers to perform activities that will cause them to b e discovered. O nce an attacker gains access to the netw ork, escalated privileges and estab lished persistence, they are u nlikely to engage in additional overt maliciou s activity . This is because they likely have gained access to legitimate account credentials or have had the opportu nity to install maliciou s sof tw are to mask, clean or hide their activities. B y altering conditions on the netw ork, def enders can impose a dilemma on hidden attackers. They must either work to maintain their access and subject themselves to the scrutiny of alert A ctive D ef ense practitioners, or they w ill lose access. H ere are ex amples of this ty pe 1 2 % of mission: of respondents that do • M al w are starv ation have an S O C reported M any ty pes of malw are emit a regu lar “ b eacon” or “ heartb eat” to a command and being able to fulfill all control (C&C) server as long as they are active. This serves two purposes. First, it acts fu nctions in- hou se as a remote notification to an attacker that his access to the network is still available. S econd, it provides au tomated control sy stems w ith an opportu nity to deliver orders to fielded malware instances (implants). H ighly sophisticated attackers may employ mu ltiple cooperating malw are implants that w atch each other to provide b acku p. If one implant sees that its partner has b een eradicated or is no longer commu nicating on the netw ork, it activates and takes over the beaconing and malicious activity. EY has seen one network that had primary implants installed on more than 2 0 servers, w ith alternate or b acku p implants hiding on another 14. The alternates weren’t detected until after the primaries had all been eradicated — the point w hen an incident response team w ou ld u su ally close the case and go home. C hanges in netw ork connectivity are u su ally the cau se that resu lts in the activation of dormant implants. C onsider simu lating this to “ starve” malw are of its netw ork access and change its b ehavior. N etw ork segments can b e cu t of f f rom one another temporarily to prevent cooperating malware samples from seeing or interacting with one another; this can resu lt in b acku p malw are spinning u p and try ing to take over f or w hat it thinks is an eradicated primary . • D N S m anip ul ation Malware authors typically use hostnames to configure malware C&C servers rather than IP addresses. This improves resiliency for the malware, since defenders typically block outgoing traffic to specific IP addresses (routers and switches don’t know about hostnames). Using a hostname allows the malware’s C&C server to be located at any IP address. The attacker just needs to register it, and DNS servers around the world will carry the new s to his deploy ed malw are. D ef enders w ho have tried to sq u ash a malw are infection have probably seen this behavior before: they block outgoing traffic from b eaconing malw are only to see it shif t to new destination addresses every f ew hou rs. By resetting the network’s DNS cache, defenders force renewed resolution of every hostname across the netw ork — inclu ding those u sed b y malw are. W ithin a f ew hou rs or day s, def enders can then ex amine the contents of the D N S cache f or low - density hostnames or hostnames that w ere resolved at odd hou rs. A b oatload of connections to www.google.com at noon on a Tuesday shouldn’t raise any eyebrows, but a single connection to www.malwaremothership.com at 2 a.m. on a Tuesday warrants closer inspection. E nhancing y ou r secu rity operations w ith A ctive Def ense | 13