Breaking down the cyberattack lifecycle: Command & Control

Nicholas Koken
May 22, 2024

Cyberattacks are always serious, but they become especially dire when an attacker can fully control systems within an organization. This “hands-on keyboard” access flips the script from wargaming to full-on acts of aggression.

In this blog series, we’re detailing every stage of the cyberattack lifecycle, the techniques used in them, and how you can defend against them. Before this, we discussed how attackers establish persistence through Installation. Now, we’re diving into one of the most nefarious stages, Command & Control, or C2.

Taking control over key systems

Until now in the attack lifecycle, many of the attacker’s actions have been dedicated to laying preparations. In C2, the adversary acts directly, albeit remotely, on an organization’s systems. Building off credentials stolen, and backdoors created, the attacker begins by establishing a remote connection to the infected systems.

How do they remotely access systems?

Adversaries use multiple techniques to port in from outside of an organization, including:

  • Standard Internet Protocols: Attackers exploit standard protocols like HTTP or HTTPS to hide their malicious traffic within seemingly legitimate website requests. Exposed ports within the network can also be leveraged in this way.
  • Peer-to-Peer (P2P) Networks: P2P networks allow attackers to establish communication channels that are less apparent than public protocols but require that the attacker creates a P2P connection between their devices and the infected ones.
  • Reverse SSH Tunneling: Attackers use reverse SSH tunneling to establish a secure channel from within the compromised network to their own remote server. This technique involves initiating an outbound SSH connection from the infected machine to the attacker's server, which forwards traffic back into the network. This method bypasses firewall restrictions and obscures the attacker's origin, making it difficult to detect and block the malicious activity.
  • Custom Protocols: Sophisticated attackers develop custom protocols specifically designed to evade detection.

How do they use remote access?

With a channel in place, attackers can begin the Command & Control stage in earnest:

  • Remotely control systems: An established C2 channel allows attackers to control that system as if they were physically at the keyboard. This gives them powerful abilities to pose as the system’s user, access their resources, and take other actions. It also sets them up to leverage the system in Denial of Service, crypto mining, or other botnet actions.
  • Install additional malware: With remote control over a system, attackers can download more tools to further compromise the system, establish a recurring loader, or create additional persistence.
  • Steal data: A primary target of many cyberattacks, with “hands-on keyboard” an attacker can begin exfiltrating data. In some cases, it makes sense to simply copy the data to keep a version of it for later uses, but other attackers steal data and delete the local copies to ransom later.
  • Move laterally: With one system under remote control, the bad actor can often access other systems within the network. Typically, the computer an attacker initially accesses serves merely as a stepping stone toward a larger objective. So, they will sneak their way through the organization until they reach that goal.

How can you stop C2 actions?

This stage of the cyberattack lifecycle poses great threats to organizations. Here are a few solutions to identify and address active C2 events:

  • Next-generation antivirus (NGAV) and endpoint detection and response (EDR): EDR/NGAV solutions detect and prevent common malicious indicators, including C2 activity. In the case of a compromised system, endpoint security solutions prevent the threat actor from actions such as accessing credential files or downloading malware.
  • Network monitoring and access control: Implementing network access software creates multiple defenses against C2. When the attacker attempts to establish remote connections, network monitoring identifies those suspicious connections and alerts and even blocks questionable or insecure domains. Network access control also reduces lateral movement through microsegmentation, reducing the impact and reach of an attacker’s movements.
  • Security information and event management (SIEM): SIEM collects data from both the technologies above and other areas across the IT environment to show you when and where attackers are moving through the network. The context of data provided by SIEM is essential for addressing investigations involving host compromise and potential C2 activities. Some SIEM solutions feature automated response actions to streamline your ability to address C2 events as they unfold.

Understanding command and control and its impact on an organization is crucial for protecting against and preventing attackers within the network. Leveraging multiple solutions in tandem creates layers of protection in a defense-in-depth approach that makes it difficult and laborious for attackers to achieve their final goals.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against these new and emerging threats.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.