Disrupting a network is one thing; maintaining access and controlling computers is another.
That second part requires creating backdoors, which have become vital parts of cyber-attack campaigns. In a new paper, researchers at Trend Micro have outlined some of the techniques backdoors use to enable attackers to connect to their command and control server and maintain control over their targets.
"Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain undetected by network administrators and security products," blogged Dove Chiu, threat researcher at Trend Micro. "Over time, these techniques have evolved as more sophisticated defenses become available to network administrators. Initially, all that was needed for an attacker to connect to a compromised machine was an open TCP/IP port. However, as firewalls became more commonplace, other techniques became necessary. Techniques evolved so that it would be clients first connecting to servers, since blocking outbound traffic was, initially, less common."