What Are Command and Control (C&C) Attacks?

Bart Lenaerts-Bergmans - July 20, 2023

Command and control definition

C&C (also known as C2) is a method that cybercriminals use to communicate with compromised devices within a target company’s network.

In a C&C attack, an attacker uses a server to send commands to — and receive data from — computers compromised by malware. This server is also known as a C2 or C&C server. The attacker can use the server to perform various malicious actions on the target network, such as data discovery, malware spreading, or denial of service attacks. The server can also serve as the headquarters for a botnet, which is a network of infected devices. C&C communication is a critical step in the process of carrying out an attack on a network or offering malicious services to other actors.

Some attackers use existing cloud-based services to hide C&C servers and avoid detection. One or more communication channels can exist between a victim’s PC or an organization and the platform that a hacker controls. The attacker uses these communication channels to transfer instructions to the compromised devices. DNS is a widely used communication medium for C&C attack communications.

2023 Global Threat Report

Uncover notable themes, trends and events across the cyber threat landscape by downloading our 2023 Global Threat Report.

Download Now

How do C&C attacks work?

A C&C attack is carefully crafted by cybercriminals and can be segmented into the following stages:

1. Point of entry

The adversary launches an attack to penetrate the target network by delivering malware. Some of the most common malware delivery methods include phishing emails, drive-by downloads, unauthorized access via stolen credentials, and vulnerability exploits. If the attack is successful, the adversary moves on to the next stage.

2. Establishing the C&C connection

After a backdoor opens the target network to infiltration, the attacker uses C&C channels to instruct and control the compromised machines and malware in the network.

3. Lateral movement and persistence

Once inside the network, the attacker compromises additional machines to harvest credentials, escalate privilege levels, and maintain persistent control over the compromised network.

4. Data discovery

The perpetrator employs several techniques to identify valuable servers and systems that contain high-value data.

5. Data exfiltration

Once the data is gathered, the cybercriminal funnels the stolen data to an internal staging server where it is chunked, compressed and often encrypted and then transmitted to external locations.

Learn More

Read this article to learn more in-depth what data exfiltration is and how to prevent it. What Is Data Exfiltration?

Types of C&C attacks

Once the perpetrator establishes a C&C connection, they can sequentially execute multiple attacks. Here are some examples:

TypeDescription
BotnetsThe term botnet is coined from the words “robot” and “network.” A botnet is a network of computers infected with malware that is controlled by a bot herder (a human) who operates the botnet infrastructure and uses the compromised computers to launch other attacks. Typically, botnets are joined by shared C&C infrastructure.
RansomwareRansomware is a type of malware attack that encrypts a victim's data and prevents access until a ransom payment is made. Ransomware attackers often use social engineering techniques, such as phishing, to gain access to a victim's environment.
Advanced Persistent Threat (APT)An advanced persistent threat is a sophisticated, sustained cyberattack where an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures, and fly under the radar.
Distributed-Denial-of-Service (DDoS) AttackA DDoS attack is a cyberattack that attempts to interrupt a server or network by flooding it with fake internet traffic, preventing user access and disrupting operations.

C&C attacks in cyber espionage

Cyber espionage is primarily used as a means to gather sensitive or classified data, trade secrets, or other forms of intellectual property (IP) the perpetrator can use to create a geopolitical advantage, gain a competitive edge, or sell for monetary gain. In some cases, the C&C-initiated breach is simply intended to cause reputational harm to the victim by exposing classified information or questionable business practices.

Cyber espionage attacks may also be deployed in conjunction with military operations or as an act of cyber terrorism or cyber warfare. The impact of cyber espionage, particularly when it is part of a broader military or political campaign, can lead to disruption of public services and infrastructure and loss of life.

Regardless of the method used to gain a point of entry into a victim’s organization, in most cases cyber espionage attacks rely on establishing a C&C connection to steal confidential or secret data.

Detection and prevention

When executing C&C attacks, cybercriminals show a good deal of innovation. C&C attacks use “low and slow” techniques that can bypass traditional security tools because each individual action that makes up the larger threat is too small to detect. Such assaults are intended to operate over a longer period of time, and they blend in with genuine traffic by minimizing interruptions to any data transfer or connection levels.

Because C&C attacks can easily go undetected, it can require extensive resources to monitor an organization’s system for unauthorized activity. Organizations need a strong detection and prevention system that provides the ability to reliably answer these critical questions:

  1. Is there C&C activity in my network?
  2. Is it a common botnet or a possible targeted attack?
  3. How risky is it?
  4. Who controls it, and where are they located?
  5. Will my security tools immediately block and remediate the C&C attack, or do I need to manually address the risk?

Signs of a C&C attack

Given the pivotal role of C&C communications in the final stages of an attack, proactively detecting malicious C&C traffic is an essential element in exposing this unauthorized activity. Indeed, most high-profile targeted attacks could have been discovered if security defenders had kept their eyes on malicious network communications.

Organizations can look out for malicious network communications by inspecting network packets and examining them for any types of C&C configuration patterns, such as the following:

  • Known C&C URL paths
  • Potential malicious domains or common look-alike domain names
  • Suspicious packet headers
  • Suspicious network communications
  • Unusual ports and protocols

These consistent signs of a C&C attack provide an opportunity for organizations to check if ongoing cyberattack campaigns exist in their network. Though changes to a campaign’s network communications are not unheard of, a campaign’s C&C network traffic patterns are more difficult to modify than the servers, domains, or malware a threat actor uses.

Safeguarding against C&C attacks

Organizations should take proactive steps to ensure they can detect C&C activities by using security tools that provide the following capabilities:

Scan and filter all traffic

Because C&C channels frequently mix in with valid domain name system (DNS) data, inspecting incoming and outgoing traffic is essential for detecting suspicious activities such as unlawful network traffic encryption (often used in DNS tunneling operations) and traffic to unfamiliar servers.

Monitor for suspicious behavior

Abnormalities in traffic might indicate an infected workstation or malware activity. You’ll also want to ensure your tool’s suspicious activity monitoring features can detect attempts to transfer large data files from your systems.

Scan systems with endpoint protection software

By using battle-tested endpoint protection — ideally endpoint detection and response (EDR) — you can discover and eradicate malware activities from your host computers. Doing so deletes the virus that would be used to communicate with C&C servers, which impedes the covert route of communication.

Learn More

Explore this article to learn what considerations you should take when choosing the right EDR solution for your business. Endpoint Detection and Response (EDR): Choosing the right solution

C&C attack consequences

Regardless of the approach an adversary uses to establish an entry point into an organization, an opened channel for C&C communication will invariably result in a data breach if the attack goes undetected. As a result, C&C attacks can have far-reaching and negative impacts on the target victims.

A successful C&C attack that leads to a data breach will drain a company’s resources and increase the cost of conducting business. Such an attack can even create a ripple effect that can bankrupt companies and put them out of business.

According to the Ponemon Institute’s Cost of a a Data Breach 2022 Report, the average cost of a data breach is expected to reach $5 million USD in 2023. The costs of a data breach might include paying a ransom, lost revenue from interrupted business operations, incident response expenses, legal fees, and regulatory fines.

CrowdStrike’s solution

Endpoint protection technology is the first line of defense against threats like malware and C&C attacks. CrowdStrike’s endpoint protection solution activates in minutes and offers 24/7 coverage that makes it easy for small and medium-sized businesses (SMBs) to get leading-edge protection without complexity.

The CrowdStrike Falcon® platform stops breaches with a unified cybersecurity platform that uncovers hands-on-keyboard adversary activity across the entire MITRE ATT&CK® framework, from the initial access stage and command and control all the way to exfiltration.

Learn More

Affordable and easy to manage protection against advanced attacks that traditional antivirus miss. Get Started With CrowdStrike Falcon® Go

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.