Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1095 | Non-Application Layer Protocol |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of non-application layer protocol attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Non-application layer protocol attacks involve adversaries exploiting lower-level protocols (such as TCP, UDP, ICMP, or others) to interact directly with network services, bypassing the traditional application layer defenses. These attacks are often used for network reconnaissance, denial-of-service (DoS), or to exploit vulnerabilities in network infrastructure, without interacting with application-level protocols like HTTP, HTTPS, or FTP. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate malicious activity in these non-application layer protocols.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster, more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors such as unauthorized network interactions, unusual traffic patterns, or attempts to exploit vulnerabilities in non-application layer protocols, providing proactive defense against these low-level network-based attacks.
References
|