What is Command and Control
Malicious network attacks have been on the rise in the last decade. One of the most damaging attacks, often executed over DNS, is accomplished through command and control, also known as C2 (or C&C). Since command-and-control attacks can compromise an entire network, it’s important to understand what they are and how they work.
Command and Control Definition
Command and control is defined as a technique used by threat actors to communicate with compromised devices over a network. C2 usually involves one or more covert channels, but depending on the attack, specific mechanisms can vary greatly. Attackers typically use these channels to deliver instructions to the compromised device in order to download additional malware, create botnets or exfiltrate data. According to the MITRE ATT&CK framework, there are over 16 different command-and-control techniques used by adversaries, including numerous subtechniques.
How C2 Works in Cybersecurity
An attacker will try to establish an initial foothold to infect the targeted machine. This can be done in a variety of ways, including:
Via a phishing email that tricks the user into following a link to a malicious website or opening an attachment that executes malicious code.
Through security holes in browser plugins or other malicious software.
Once the machine is successfully compromised, the threat actor will establish communication between the infected device and the malicious C2 server. It’s important to note that many attackers will try to blend C2 traffic with other types of legitimate traffic, such as HTTP/HTTPS or DNS, to avoid being detected.
Once communication is established, the infected machine sends a signal to the attacker’s server looking for further instructions. The attacker can then carry out a set of commands on the compromised device, including prompting the victim’s computer to search for vulnerabilities on other systems within the network. This allows the attacker to move laterally through the network and compromise the entire infrastructure, thereby creating a botnet – a network of infected machines to execute coordinated attacks.
Within the kill chain (coined by Lockheed Martin), also referred to as the attack lifecycle, command and control is one of the last stages, right before threat actors complete their objectives. This means that the attacker has already bypassed other security tools that may have been in place. Thus, it is critical for security professionals to quickly discover and prevent C2.
What Can Attackers Accomplish Through Command and Control?
- Malware delivery: With control of a compromised machine within a victim’s network, adversaries can trigger the download of additional malware.
- Data theft: Sensitive company data, such as financial documents, can be copied or transferred to an attacker’s server.
- Shutdown: An attacker can shut down one or several machines or even bring down a company’s network.
- Reboot: Infected computers may suddenly and repeatedly shut down and reboot, which can disrupt normal business operations.
- Defense evasion: Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. Depending on the victim’s network structure and defenses, attackers will establish command and control with varying levels of stealth, evading security tools.
With the increase in the use of sophisticated automation tools traditionally used by enterprise security red teams, attackers are now able to customize and replicate the C2 malicious code, making it easier for bad actors to evade detection from security defenses. To learn more about stopping sophisticated attackers from establishing a C2 connection as well as other evasion techniques, read Palo Alto Networks Approach to Intrusion Prevention.