18
Covert Communication
When a shinobi is going to communicate with the general after he has gotten into the enemy’s castle, the shinobi needs to let his allies know where he is. It is essential to arrange for the time and place to do this.

For success on a night attack, send shinobi in advance to know the details of the enemy’s position before you give your orders.

—Yoshimori Hyakushu #12

Because shinobi were first and foremost experts in espionage, they had to safely relay secret messages containing scouting reports, attack plans, and other critical information to help their lords and allies make informed tactical and strategic decisions. Similarly, lords, generals, and other shinobi needed to covertly tell an infiltrated shinobi when to set a fire or execute other tactics. These messages had to be easily deciphered by the recipient shinobi but indiscernible to everyone else.

The Bansenshūkai, Ninpiden, and Gunpo Jiyoshu scrolls all describe secret methods shinobi used to communicate with other shinobi, friendly armies, or their employers after infiltrating enemy territory. Some are brutally simple. The Bansenshūkai describes hiding a message in the belly of a fish or even inside a person (use your imagination) who can easily travel across borders without suspicion. Common choices were monks and beggars. Obfuscation techniques discussed in the same scroll include cutting a message into several pieces and sending each piece by a different courier, to be reassembled by the recipient, as well as making inks from tangerine juice, rusty water, sake, or castor oil that dry invisibly on paper but are revealed with fire. Shinobi even developed the shinobi iroha—a custom alphabet indecipherable to non-shinobi—and used fragmented words or characters to create contextual ambiguity that only the shinobi meant to receive the message would understand.¹

A popular—and direct—method of sending secret messages was yabumi, wherein what appears to be a normal arrow actually has a secret scroll rolled around the bamboo shaft, along with marks on the fletching to identify the recipient. Given the logistical realities of feudal Japan, shinobi could not always guarantee that they could fire a yabumi arrow at a prearranged time and place, so they developed an arrow “handshake” that, to an outsider, might have looked like a skirmish. If one side saw a specific number of arrows shot rapidly at the same spot, they returned fire with a specific number of arrows aimed to land in front of the shooter. This signal and countersignal established a friendly connection. The shinobi could then shoot the yabumi arrow, which would be picked up and delivered to the intended target.² This method of communication became so common that the Gunpo Jiyoshu manual warns that the enemy may send deceptive letters by arrow; thus, the recipient should closely examine yabumi messages using some of the linguistic techniques described earlier in this book.³

For long-distance signaling or when sending a scroll wasn’t feasible, shinobi devised flag, fire, smoke, and lamp signals (hikyakubi). When even these were not possible, they employed secret drums, gongs, and conches. A loud, unique blast of the signaling device told the shinobi inside enemy lines to prepare to receive a secret communication. The exact signal pattern was agreed upon one to six days before infiltration to avoid confusion. After the initial hikyakubi signal, the message was delivered through drum, gong, or conch signals.⁴

In this chapter, we will look at how the covert communication methods of the shinobi closely resemble modern malware command and control communication. We will discuss why command and control communications are needed and their role in threat activity. We’ll touch on various techniques that modern adversaries have used to covertly conduct this communication. We will also explore various defenses against this technique and the challenges of using it. Lastly, we’ll list a large collection of security best practices to defend against command and control communications. The fact that the shinobi scrolls offer no guidance around how to stop covert communication suggests there may not be a good solution for it.

Command and Control Communication

It is typically not feasible for malware to be wholly independent and autonomous. If it were, the malware would be exceedingly large, complex, suspicious, and visible to defenders. Rather, most malware needs tactical guidance from its controllers during a threat campaign, so threat actors use a technique called command and control (abbreviated as C2, CnC, or C&C) to communicate with malware, backdoors, implants, and compromised systems under their control in target networks. Operators use C2 communication to send commands to a compromised system, prompting it to execute actions such as downloading data, updating its configuration, or even deleting itself. The C2 implant can also initiate communication by sending statistics or valuable files, asking for new commands, or beaconing back to report that the system is online, along with its location and current status. Cyber threat actors often establish C2 infrastructure such as domain names, IPs, and websites one to six weeks prior to infiltration.

C2 functionality is widely known, and many firewalls, IDS/IPS, and other security devices and controls can prevent adversaries from communicating directly to target systems or vice versa. To bypass these controls, threat actors continually develop more advanced C2 techniques, tactics, and procedures (TTPs). For example, C2 data can be embedded in the payload of a ping or in commands hidden in pictures hosted on public websites. Adversaries have used C2 in Twitter feeds and comments on trusted sites. They have also used C2 to establish proxies and email relays on compromised systems; they then communicate over known protocols and safe sites that are not blocked by security controls and devices. Phones plugged into compromised systems can be infected with malware that, upon USB connection, “calls” the C2 via cell phone towers, bypassing firewalls and other network defenses and facilitating communication between the infected host and the C2 while the phone’s battery charges. Some C2 communication methods use blinking LEDs (like a signal fire), vary CPU temperature (like a smoke signal), use the sounds of hard drives or PC speakers (like signal drums), and leverage electromagnetic spectrum waves to bypass the air gap to a nearby machine.

Threat actors layer C2 communications with obfuscation, encryption, and other confidentiality techniques to maintain contact with a compromised system without disclosing evidence of the commands to the victims. Adversaries may avoid detection by:

• Limiting the amount of data that is communicated on a daily basis so the daily amount never seems anomalous (for example, 100MB max per day to mask downloading 1.5TB over two weeks)
• Sending or receiving beacons only during active user time to blend in with legitimate user traffic (for example, not beaconing very often in the small hours of the morning on a Sunday or holiday)
• Rotating to new, random, or dynamic C2 points to avoid statistical anomalies
• Regularly generating pseudo-legitimate traffic to avoid scrutiny from behavior analysis
• Disabling or deleting activity logs to hide from forensics

Advanced C2 TTPs can be particularly sinister, virtually undetectable, and hard to block. Consider the example of a Windows IT admin who has implemented such strict firewall controls that the only site they can visit is technet.microsoft.com, the official Microsoft web portal for IT professionals. Only the HTTPS protocol is allowed, antivirus is current and running, and the operating system is fully patched. No external programs such as email, Skype, or iTunes are running, with the exception of the Microsoft TechNet website, which the admin needs to do their job. That may sound secure, but consider that Chinese APT17 (also called Deputy Dog or Aurora Panda) encoded hidden IP addresses in comments posted on Microsoft TechNet pages—comments that communicated with a BLACKCOFFEE remote access trojan on a compromised system.⁵ If anyone had inspected proxy traffic, behavior analysis, anomaly heuristics, IDS signatures, antivirus, or firewall alerts, nothing notable would have indicated that malicious communications were happening.

Advanced defense efforts to counter sophisticated C2s typically involve air gapping the systems, but new C2 communication techniques have been developed in recent years. One example is using a USB loaded with rootkits or compromised firmware and malware that, once plugged into a system, initiate communications with the implant on the compromised system, collect the packaged data, and discreetly upload it for exfiltration to an external C2.

Controlling Coms

It is common for organizations to subscribe to multiple threat indicator feeds. These feeds continually supply the organization with malicious URLs, IPs, and domains that have been observed working as C2s. The organization will then alert and/or block those threats in their firewalls and security devices. This is a good starting point for defending against C2s, but there is an endless supply of new URLs, IPs, and domains, allowing threat actors to take up new identities and evade the threat indicator feeds. Both old and new approaches are needed to address C2s, some of which are suggested below.

1. Follow best practices. While it may be impractical or even impossible to prevent all C2 communications, you can block basic or moderately advanced C2s by implementing cybersecurity best practices: know your network, set boundary and flow controls, establish whitelists, and authorize hunt teams to proactively block or intercept C2 communications. Do not take shortcuts on best practices. Rather, commit to doing solid security work. Document, test, and validate your best practices and consult with independent third-party assessors for additional measures and validation. Invest in improving security while maintaining and bettering your existing best-practice infrastructure.
2. Implement segmentation with “remote viewing” controls. Network segmentation and isolation means establishing multiple networks and machines, such as an intranet machine and an unclassified internet machine that are segmented from each other. Segmentation should prevent C2 communication from bridging across boundaries. Unfortunately, it’s common for users to briefly plug their intranet machine into the internet to download documents or libraries or commit some other breach of security protocol. One approach to such issues is to configure the intranet machine so it remotely views another isolated machine that is connected to the internet. The isolated internet box is not physically or directly accessible by users; they may issue commands and view the screen, but they do not receive the actual raw information from the isolated internet box in their remote viewing box. The remote viewing box is effectively a TV monitor displaying another computer in a different room. As such, C2 communication, malware, and exploits cannot jump through the video signal to cause harm.

---

Castle Theory Thought Exercise

Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. Every week, your scribes produce new scrolls that outline state secrets, new research and discoveries, financial data, and other sensitive information. It is imperative that these scrolls not end up in enemy hands. However, there are rumors that someone is making copies of important scrolls in your private library, and recent enemy actions seem to confirm these reports. None of the scribes or archivists are suspected of copying and exfiltrating the scrolls, so you are not looking for an insider threat.

What access restrictions or physical protections could you place on the scrolls to prevent their exfiltration or reproduction? How could you monitor for the theft or removal of these scrolls while still permitting the normal transit of goods and people to and from your castle? Could you store your scrolls in such a way that the enemy would not know which scrolls have the most value? What other ways might a threat actor obtain access to the scrolls—or steal the information without access—and how would you defend against them?

---

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of C2s in mind.

1. Implement safeguards on systems, network boundaries, and network egress points that look for signs of data exfiltration on your network. This could mean blocking encrypted tunnels that your sensors cannot intercept, along with looking for evidence of unauthorized protocols, data formats, data watermarks, sensitive data labels, and large files or streams exiting your network. [AC-4: Information Flow Enforcement | (4) Content Check Encrypted Information; SC-7: Boundary Protection | (10) Prevent Exfiltration; SI-4: System Monitoring | (10) Visibility of Encrypted Communications]
2. Establish multiple networks with isolation and segmentation between internet and intranet resources. Restrict critical internal systems from connecting to the internet. [AC-4: Information Flow Enforcement | (21) Physical and Logical Separation of Information Flows; CA-3: System Interconnections | (1) Unclassified National Security System Connections | (2) Classified National Security System Connections | (5) Restrictions on External System Connections; SC-7: Boundary Protection | (1) Physically Separated Subnetworks | (11) Restrict Incoming Communications Traffic | (22) Separate Subnets for Connecting to Different Security Domains]
3. Restrict remote access to any systems with critical information. [AC-17: Remote Access]
4. Implement restrictions and configuration controls to detect and prevent unauthorized wireless communications. [AC-18: Wireless Access | (2) Monitoring Unauthorized Connections; PE-19: Information Leakage; SC-31: Covert Channel Analysis; SC-40: Wireless Link Protection; SI-4: System Monitoring | (15) Wireless to Wireline Communications]
5. Train your security team and employees to identify C2 communications. [AT-3: Role-based Training | (4) Suspicious Communications and Anomalous System Behavior; SI-4: System Monitoring | (11) Analyze Communications Traffic Anomalies | (13) Analyze Traffic and Event Patterns | (18) Analyze Traffic and Covert Exfiltration]
6. Deny any unauthorized software that could be a C2 backdoor or implant from running on your systems. [CM-7: Least Functionality | (5) Authorized Software–Whitelisting]
7. Safeguard direct physical connections to systems that bypass security controls and boundaries; these include switch closets, Ethernet wall jacks, and computer interfaces. [PE-6: Monitoring Physical Access; SC-7: Boundary Protection | (14) Protects Against Unauthorized Physical Connections | (19) Block communication from non-organizationally configured hosts]
8. Require inspection and scanning of removable media that enters or leaves your organization to prevent personnel from manually performing C2 communication through delivery and removal of external media. [PE-16: Delivery and Removal]
9. Implement a whitelist to deny communication to any resource or address that has not been approved for an exception. Many C2 sites are brand-new domains with no history of legitimate use by your organization. [SC-7: Boundary Protection | (5) Deny by Default—Allow by Exception]

Debrief

In this chapter, we reviewed the various communication methods shinobi used to receive and send commands to allies. We described various modern C2 methods, along with their comparative shinobi methods. However, we only scratched the surface, as it’s very likely that the most sophisticated C2 techniques have yet to be discovered. Just like the best of the shinobi’s covert communication methods were never written down, we may never learn of the genius and creativity behind the most advanced C2 techniques. We discussed several best practices, including whitelisting and encryption inspection, as ways to mitigate an adversary’s C2s, but an ideal solution to the problem remains to be found.

In the next chapter, we will discuss shinobi call signs. These were methods of communicating with allies inside enemy territory by leaving unique marks or messages. Similar to a dead drop, call signs never leave the boundaries of an environment, so traditional methods of blocking or detecting C2 communication generally do not work against them.