T1008 - Fallback Channels

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Shield Active Defense

Network Manipulation

Make changes to network properties and functions to achieve a desired effect.

Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed.

Opportunity

There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary’s activity.

Use Case

A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information.

Procedures

Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope. Introduce intermittent network packet loss on a decoy network to interfere with an adversary’s activities.