You are a threat hunter who is analyzing traffic. You suspect that a host in your organization is attempting to establish a communication channel with a C2 server. Which traffic type should you examine more closely in your analysis?

When suspecting that a host in your organization is attempting to establish a communication channel with a Command-and-Control (C2) server, the traffic type you should examine more closely in your analysis is “DNS.”

DNS (Domain Name System) traffic is often a focal point in such investigations because C2 servers frequently utilize DNS requests for establishing and maintaining communication channels with compromised hosts. Attackers use DNS queries to resolve domain names of C2 servers, which can often go unnoticed since DNS requests are common in network traffic. Moreover, some advanced threats use DNS tunneling techniques for exfiltrating data and receiving commands, making DNS traffic a critical area to scrutinize for potential C2 communications.

Other traffic types like ping (ICMP), traceroute, and FTP have their uses in network communications, but are less commonly associated with C2 traffic:

• Ping (ICMP): Often used for basic network diagnostics rather than establishing C2 channels.
• Traceroute: Used to diagnose path issues in network traffic, not typically associated with C2 communications.
• FTP: While it can be used for data exfiltration, it’s less stealthy compared to DNS and more likely to be detected by modern security systems.