How would you hunt for C2 beaconing in network telemetry?
Short answer
C2 beaconing is the periodic check-in an implant makes to its controller. Hunt for it in network/proxy/DNS telemetry by looking for regularity: connections to a destination at near-fixed intervals (even with jitter), small uniform request sizes, low data-in/data-out ratios, long-lived rare destinations, and suspicious TLS/JA3 fingerprints or odd user-agents. The signal is the rhythm and the rarity of the destination, not the payload — which is usually encrypted.
After an attacker lands an implant, it needs to phone home for instructions. That recurring check-in — beaconing — has a rhythm, and rhythm is detectable even when the traffic itself is encrypted.
Detect the pattern, not the payload
Modern C2 rides HTTPS, DNS, or other common protocols and encrypts its content, so deep packet inspection of the payload usually fails. Hunt the behaviour instead.
Features that betray a beacon
- Interval regularity — connections to the same destination at near-constant intervals (every 60s, every hour). Plot the time deltas; a tight distribution screams automation.
- Jitter — attackers randomize the interval to defeat naive periodicity checks. Account for it: even jittered beacons cluster around a mean far tighter than human browsing.
- Data ratios and sizes — small, uniform requests with low data-in/data-out ratios suggest polling, not human use.
- Destination rarity and age — a host that only one or two internal machines ever contact, recently registered domains, or hosting-provider IPs.
- Fingerprints — JA3/JA3S TLS fingerprints and odd or hardcoded user-agents can match known frameworks like Cobalt Strike.
Putting it together
No single feature is conclusive — beaconing detection stacks them. Aggregate per source/destination pair over a window, score on regularity plus rarity plus ratio, and surface the top candidates for analyst review. Confirmed patterns become detections mapped to T1071/TA0011.
Why this matters
Senior interviewers want to hear "I detect the rhythm and rarity, not the payload," plus awareness of jitter and fingerprinting. Candidates who reach for payload inspection of encrypted C2 reveal a gap.
Likely follow-ups
- What is jitter, and how do attackers use it to evade beacon detection?
- How does a JA3 fingerprint help spot a known C2 framework?
- Why is the data-in/data-out ratio a useful feature for beaconing?