Leviathan: Command and Control Communications on Planet Earth

Presented at Black Hat USA 2014, Aug. 7, 2014, 10:15 a.m. (60 minutes)

Every day, computer network attackers leverage a Leviathan of compromised infrastructure, based in every corner of the globe, to play hide-and-seek with network security, law enforcement, and counterintelligence personnel.

This presentation draws a new map of Planet Earth, based not on traditional parameters, but on hacker command and control (C2) communications. The primary data points used in this worldwide cyber survey are more than 30 million malware callbacks to over 200 countries and territories over an 18-month period, from January 2013 to June 2014.

First, this talk covers the techniques that hackers use to communicate with compromised infrastructure across the globe. The authors analyze the domains, protocols, ports, and websites used for malicious C2. They explain how covert C2 works, and how attackers keep their communications hidden from network security personnel.

Second, this talk looks at strategic impact. The authors examine relationships between the targeted industries and countries and the first-stage malware servers communicating with them. Traffic analysis is used to deduce important relationships, patterns, and trends in the data. This section correlates C2 communications to traditional geopolitical conflicts and considers whether computer network activity can be used to predict real world events.

In conclusion, the authors consider the future of this Leviathan, including whether governments can subdue it and whether they would even want to.


  • Kevin Thompson - FireEye
    Kevin Thompson is a Threat Analyst for FireEye, Inc. He educates FireEye customers and partners on the latest cyber threats to their infrastructure. Before joining FireEye, Kevin worked as a cyber analyst for the Central Intelligence Agency in Washington DC. As an analyst, Kevin used digital exploitation and all source analysis to educate multiple agencies of the US Government on current and future cyber threats. Kevin's analytic work has been included in Presidential Daily Briefings and became a case study used in multiple training classes. Kevin has also presented at numerous technical workshops and cyber threat conferences around the Washington DC area.
  • Kenneth Geers - 2501
    Kenneth Geers (PhD, CISSP) is an analyst based in Kiev, Ukraine. Dr. Geers spent twenty years in the U.S. Government, with lengthy tours at NSA, NCIS, and NATO. Kenneth was the first U.S. Representative to the NATO Cooperative Cyber Defence Centre of Excellence in Estonia, and a Senior Global Threat Analyst at FireEye. He is the author of Strategic Cyber Security, Editor of The Virtual Battlefield: Perspectives on Cyber Warfare, Technical Expert for the Tallinn Manual on the International Law Applicable to Cyber Warfare, and author of more than twenty articles and chapters on cyber conflict. Follow him on Twitter @KennethGeers.


Similar Presentations: