Defenders may have a plan, but attackers have one, too: it’s called the cyber kill chain. The cyber kill chain is the order of operations by which a sophisticated cyber attack is launched, and it contains seven stages.
Command and control (C2) is the second to the last stage, and it’s where the “rubber hits the road,” you could say. During the C2 stage, a threat actor has already achieved compromise and is now looking to establish further control so they can act on their objectives. But all is not lost, C2 still presents an opportunity to detect, disrupt, and remediate before the impact ramps up exponentially. Unfortunately, many don’t know how to do this, or lack the tools to do it well. In the real world, “almost” doesn’t count, and you end up with a breach on your hands.
In this blog, we’ll go over just what a command-and-control attack is, where it fits in the cyber kill chain, and what can be done to stop it — even while it’s currently in progress.
What Is Command and Control in Cybersecurity?
Command and control is the sixth stage of the seven-stage cyber-attack chain in which attackers remotely establish control of the victim’s systems via malicious C2 commands.
Also referred to as C2 and C&C, the command-and-control stage is what cybercriminals have been working hard to achieve since step one: reconnaissance. At this point, the attacker has already made their way past other defenses (successfully, at that) and is getting ready to complete their objectives: exfiltrating data, encrypting information, launching a ransomware attack, and more.
Where C2 Falls in the Attack Chain
As the sixth phase in this attack chain, the purpose of command and control is to establish backdoors and provide attackers with the kind of hands-on access they need to progress towards their ultimate objectives. This step accomplishes that through establishing open communication channels between the victim’s servers and the cybercriminals themselves. Cybersecurity defenses identify command and control activity as part of a defense in depth strategy, so you can identify post compromise activity, disrupt the attack sequence, and eject the threat actor from your environment.
The Anatomy of the Command-and-Control Stage
While not as specific, the cyber kill chain does compliment the more technical MITRE ATT&CK framework in explaining tactical adversarial behavior. For example, according to MITRE ATT&CK, there are at least 18 different C2 techniques adversaries can implement. They include:
1. Application layer protocol
2. Communication via removable media
3. Content injection
4. Data encoding
5. Data obfuscation
6. Dynamic resolution
7. Encrypted channel
8. Fallback channels
9. Hide infrastructure
10. Ingress tool transfer
11. Multi-stage channels
12. Non-application layer protocol
13. Non-standard port
14. Protocol tunneling
15. Proxy
16. Remote access software
17. Traffic signaling
18. Web service
In addition, there are three different command and control attack architectures:
1. Centralized architecture: The classic client/server scenario in which all victimized computers communicate with a single malicious host machine.
2. Peer-to-peer architecture: Each infected computer sends messages to each other. This is typically a plan B in case the central server goes down, undermining the attack.
3. Random architecture: Infected computers are pinged by a host of random malicious machines, making this one very difficult to detect.
By leveraging these techniques, threat actors communicate with victim systems for the purpose of:
- Compromising data traffic channels
- Deliver additional payloads (Ingress Tool Transfer)
- Enable lateral movement
- Elevate privileges
- Exfiltrate data and gather information
Fortra Breaks the Cyber Kill Chain by Disrupting C2 Behaviors
Because a single IP sending out C2 commands can be easy to detect, attackers rely on load balancers, redirectors, proxies, encryption, obfuscation, and dynamic DNS services to disguise their malicious traffic. This essentially makes catching an attack at the command-and-control stage equivalent to winning a game of hide and seek. Not all tools are adapted to win this game, but these advanced solutions from Fortra are:
- Fortra Vulnerability Management (VM) includes network mapping to identify open and unused ports which could be used for C2 communications.
- Fortra Extended Detection and Response (XDR) includes intrusion detection systems (IDS) for network traffic analysis (NTA) to identify malicious and suspicious connections and command and control beacons, with automated containment actions to block malicious traffic at the network perimeter
- Fortra Core Impact, Cobalt Strike, and Outflank Security Tooling can simulate advanced adversaries in red teaming exercises, including C2 techniques, so you can validate and improve your security controls.
- Fortra security consulting service offerings can perform penetration tests and other red team exercises on your behalf to validate controls and advise on tactical and strategic improvement.
