Defenders may have a plan, but attackers have one, too: it’s called the cyber kill chain. The cyber kill chain is the order of operations by which a sophisticated cyber attack is launched, and it contains seven stages.
Command and control (C2) is the second to the last stage, and it’s where the “rubber hits the road,” you could say. During the C2 stage, a threat actor has already achieved compromise and is now looking to establish further control so they can act on their objectives. But all is not lost, C2 still presents an opportunity to detect, disrupt, and remediate before the impact ramps up exponentially. Unfortunately, many don’t know how to do this, or lack the tools to do it well. In the real world, “almost” doesn’t count, and you end up with a breach on your hands.
In this blog, we’ll go over just what a command and control attack is, where it fits in the cyber kill chain, and what can be done to stop it — even while it’s currently in progress.
What Is Command and Control (C2) in Cybersecurity?
Command and control is the sixth stage of the seven-stage cyber attack chain in which attackers remotely establish control of the victim’s systems via malicious C2 commands.
Also referred to as C2 and C&C, the command and control stage is what cybercriminals have been working hard to achieve since step one: reconnaissance. At this point, the attacker has already made their way past other defenses (successfully, at that) and is getting ready to complete their objectives: exfiltrating data, encrypting information, launching a ransomware attack, and more.
Where C2 Falls in the Attack Chain
Now, let’s drill down into specifics. The cyber kill chain, or attack chain, is comprised of seven steps:
Command and Control
As the sixth phase in this attack chain, the purpose of command and control is to establish backdoors and provide attackers with the kind of hands-on access they need to progress towards their ultimate objectives. This step accomplishes that through establishing open communication channels between the victim’s servers and the cybercriminals themselves. Cybersecurity defenses identify command and control activity as part of a defense in depth strategy, so you can identify post compromise activity, disrupt the attack sequence, and eject the threat actor from your environment.
The Anatomy of the Command and Control Stage
While not as specific, the cyber kill chain does compliment the more technical MITRE ATT&CK framework in explaining tactical adversarial behavior. For example, according to MITRE ATT&CK, there are at least 18 different C2 techniques adversaries can implement. They include:
Application layer protocol
Communication via removable media
Content injection
Data encoding
Data obfuscation
Dynamic resolution
Encrypted channel
Fallback channels
Hide infrastructure
Ingress tool transfer
Multi-stage channels
Non-application layer protocol
Non-standard port
Protocol tunneling
Proxy
Remote access software
Traffic signaling
Web service
In addition, there are three different command and control attack architectures:
Centralized architecture: The classic client/server scenario in which all victimized computers communicate with a single malicious host machine.
Peer-to-peer architecture: Each infected computer sends messages to each other. This is typically a plan B in case the central server goes down, undermining the attack.
Random architecture: Infected computers are pinged by a host of random malicious machines, making this one very difficult to detect.
By leveraging these techniques, threat actors communicate with victim systems for the purpose of:
Compromising data traffic channels
Deliver additional payloads (Ingress Tool Transfer)
Enable lateral movement
Elevate privileges
Exfiltrate data and gather information
And more.
Fortra Breaks the Cyber Kill Chain by Disrupting C2 Behaviors
Because a single IP sending out C2 commands can be easy to detect, attackers rely on load balancers, redirectors, proxies, encryption, obfuscation, and dynamic DNS services to disguise their malicious traffic. This essentially makes catching an attack at the command and control stage equivalent to winning a game of hide and seek. Not all tools are adapted to win this game, but these advanced solutions from Fortra are.
Fortra Vulnerability Management (VM) includes network mapping to identify open and unused ports which could be used for C2 communications.
Fortra Extended Detection and Response (XDR) includes intrusion detection systems (IDS) for network traffic analysis (NTA) to identify malicious and suspicious connections and command and control beacons, with automated containment actions to block malicious traffic at the network perimeter
Fortra Core Impact, Cobalt Strike, and Outflank Security Tooling can simulate advanced adversaries in red teaming exercises, including C2 techniques, so you can validate and improve your security controls.
Fortra security consulting service offerings can perform penetration tests and other red team exercises on your behalf to validate controls and advise on tactical and strategic improvement.
Want to learn more?
Start at the beginning and master the basics: What Is the Cyber Attack Chain?