Newsletter Series: The Cybersecurity Kill Chain
Month 6: Phase 6 – Command-and-Control: The Attacker Takes the Wheel
Once attackers have successfully installed their tools, the next step in the Cybersecurity Kill Chain is establishing Command and Control (C2) - a channel that lets them communicate with the compromised system. Think of it as a remote control for your network, and the attackers are now steering from afar.
What is Command and Control?
Command and Control is the bridge between the attacker and their victim. It allows the attacker to:
- Issue Commands
- Exfiltrate data
- Deploy additional malware
- Update or remove existing payloads
- Move laterally to other systems
C2 traffic often tries to hide in plain sight – disguised as normal HTTPS traffic, DNS lookups, or even within email messages. Some advanced threats use encrypted channels, social media or legitimate cloud services to avoid detection.
Real-World Example:
The SolarWinds Orion attack is a prime case. After compromising the update mechanism, attackers used stealthy C2 traffic to manage malware across thousands of victims, including government and Fortune 500 organizations. The C2 communications blended in with legitimate network activity, avoiding detection for months.
How Can Small Businesses Mitigate C2 Threats?
- Monitor Outbound Traffic: Most C2 traffic goes out, watch for unusual patterns, destinations or ports.
- Use DNS Filtering: Block access to known malicious domains and use services that detect suspicious DNS queries.
- Deploy Network Segmentation: Isolate critical systems so attackers can’t easily move around.
- Enable EDR and XDR Tools: These solutions detect behavioral anomalies that often accompany C2 activity.
- Train Employees to Spot Phishing: Many C2 connections begin with successful phishing attempts.
Key Takeaway:
The Command and Control phase is where attackers begin actively controlling your environment. Detecting and disrupting this channel is essential to limiting damage and stopping data exfiltration before it happens.
Next month:
Actions on Objectives - the attacker’s endgame and how you can stop them before they reach it.
NetCenter Technologies
Empowering Businesses Through Cybersecurity
