In the Cyber Kill Chain, the command and control (C2) stage is a critical phase where attackers establish communication channels and control mechanisms to manage compromised systems or devices within the target network.
What is Command and Control (C2)?
Command and control (C2) in the context of cybersecurity refers to the stage in a cyber attack where attackers establish a centralized infrastructure to communicate with and control compromised systems or devices within a targeted network.
Attackers Activities in Command and Control Stage
Establish Communication: Attackers set up communication channels, often using covert or encrypted methods, to connect with compromised devices.
Remote Control: Once established, these communication channels enable attackers to remotely control and manage the compromised systems.
Commands Issuance: Attackers issue commands to the compromised devices, instructing them to perform specific actions such as data exfiltration, launching attacks, or further exploration of the network.
Maintain Persistence: The C2 stage is crucial for maintaining persistence, allowing attackers to sustain control over compromised systems over an extended period.
Why is command and control useful to attackers?
Remote Control: C2 enables attackers to remotely control compromised systems from a distance, providing them with flexibility and avoiding direct physical presence near the target.
Coordination of Compromised Devices: C2 allows attackers to manage and coordinate a network of compromised devices (botnet) efficiently. This centralized approach streamlines the execution of coordinated actions across multiple systems.
Execution of Commands: Attackers can issue commands to compromised systems based on their objectives, whether it's data exfiltration, further reconnaissance, or launching additional attacks. This flexibility enhances the adaptability of the attack.
Persistence: The C2 infrastructure helps attackers maintain persistence within the compromised network over an extended period. By regularly communicating with compromised systems, attackers can ensure continued access and control.
Evasion and Stealth: C2 often involves using covert or encrypted communication channels, making it challenging for traditional security measures to detect and block the malicious traffic. This enhances the stealthiness of the attack.
Adaptability: If security measures detect and block one C2 channel, attackers can adapt by using alternative channels or modifying their tactics, techniques, and procedures (TTPs). This adaptability makes it challenging for defenders to completely thwart C2 activities.
Information Gathering: C2 allows attackers to conduct ongoing reconnaissance activities within the compromised network, gathering valuable information that can be used to identify additional targets or vulnerabilities.
Scaling Attacks: For attacks involving a large number of compromised systems (such as DDoS attacks), C2 is essential for orchestrating and synchronizing the actions of the entire botnet.
Exploiting Compromised Resources: C2 facilitates the exploitation of compromised resources for various purposes, including leveraging computational power for cryptocurrency mining or using compromised devices in further cybercriminal activities.