You work on an incident response team. You are tasked with identifying malicious beaconing traffic that is leaving your network and communicating with an external C2 server. Which traffic type will be your primary focus?

When tasked with identifying malicious beaconing traffic that is communicating with an external Command-and-Control (C2) server, your primary focus should be on “tunneled traffic.”

Tunneled traffic refers to the use of various tunneling protocols that encapsulate one protocol or session inside another. Malicious actors often use such methods to hide their communications with C2 servers. This can include using common protocols like HTTP or HTTPS to disguise the traffic as normal web browsing, or more complex methods like VPN tunnels, SSH tunneling, or even DNS tunneling. By focusing on tunneled traffic, you can look for patterns or anomalies that might indicate beaconing, such as regular, periodic traffic to an unknown external server, which is a common characteristic of C2 communication.

The other options provided are less specific or less likely to be directly related to C2 beaconing:

• Cobalt Strike packets: While Cobalt Strike is a threat emulation tool often used by attackers, its traffic would not necessarily be distinct or easily identifiable without knowing specific signatures.
• IPsec packets: While IPsec could be used for tunneling malicious traffic, IPsec packets in themselves are not inherently indicative of C2 activity, as IPsec is commonly used for legitimate VPN connections.
• IPv6 packets: Focusing solely on IPv6 packets without other context is not particularly useful, as IPv6 is just an IP addressing protocol and does not inherently indicate malicious activity. Beaconing can occur over both IPv4 and IPv6.