by peter


Command and Control Explained


Risk Rating: MEDIUM
Likelihood: 2/5
Impact: 4/5


  • Weak attack surface
  • Externally available internal vulnerabilities
  • Lack of monitoring

Command and Control Overview

The first known take down of a country’s power grid due to a cyberattack happened on December 23, 2015. The details of the hack is summarized in vivid detail by Wired. At about 3:30 p.m. local time, a worker inside the Prykarpattyaoblenergo control center saw his mouse’s cursor move across the screen. The ghostly cursor floated toward the digital controls of the circuit breakers at a substation, and began taking them offline. Almost 30 substations subsequently went down, and 230,000 residents were forced to spend a cold evening in the dark in Western Ukraine, with a blistering low of 30 degrees Fahrenheit.

What you need to know about Command and Control attacks

A command and control attack is when a hacker takes over a computer in order to send commands or malware to other systems on the network. In some cases, the attacker performs reconnaissance activities, moving laterally across the network to gather sensitive data. In other attacks, hackers may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These attacks are also often referred to as C2 or C&C attacks as well.

Defending against these attacks required have a good knowledge of your attack surface and who your organisation does business with.  Follow these simple steps to reduce attack success likelihood:

  1. Implement regional blacklists and block countries that you would not expect to have traffic from.
  2. Ensure your Security Team or your Security Operations Center have a full visibility of your internal and external environments and can detect command and control servers.
  3. Conduct annual Cyber Security Testing and include Cyber Attack Simulations (at least every couple of years, if not annually)
  4. Run monthly vulnerability assessments AND fix the issues identified.

How the attack happens

Most bad actors will get a foothold in the system through phishing emails and the installation of malware. This establishes a command and control channel that’s used to proxy data between the compromised endpoint and the attacker. These channels relay commands to the compromised endpoint and the output of those commands back to the attacker.

Command and Control Attack Sources

There have been prominent command and control attacks originating from Russia, Iran and even the U.K and the U.S. ( THINK* Did you apply regional block lists to your firewalls?) These attackers can come from anywhere and everywhere — but they don’t want you to know that. Since communication is critical, hackers use techniques designed to hide the true nature of their correspondence. They’ll often try to log their activities for as long as possible without being detected, relying on a variety of techniques to communicate over these channels while maintaining a low profile.