The Concept Of “Command And Control” Tactic
Lateral movement may enable access to a secured system, but the access is useless unless the adversary is able to exploit it to make inferences on the secured system. Command and control is the process through which an adversary communicates with a secured system that has been illegally breached.
The primary prerequisites of a command and control system are that it enables the adversary to make effective inferences into the system. This means that the technique should ensure that the secured system will do what the advisory commands it to do. The second prerequisite is that the technique allows the inferences to be input in a manner that they cannot be easily detected. Detection of inference, which in most cases eventually occurs, will lead to the adversary being locked out of the system, and in some cases apprehended. Among the common command and control techniques of Connection Proxy, where the adversary makes inferences into the system by resemble a trusted party.
Connectivity is a fundamental element of a cyber-network that enables it to regularly connect with other networks, system administrators and external third-parties such as service providers. For example, a company that runs an advanced system from Microsoft will often expect to get updates, advice, and notices from Microsoft. Under Connection Proxy, the adversary will veil remote access to look like inferences of another trusted network. As long as an assumption is made that the access is from a trusted network, the adversary will enjoy impunity in command and control. Data Obfuscation is another command and control (C2) technique that can be defined as seeking to hide inferences in a variety of ways.
It must be understood that at any one time, a complex cybernetworks receives a very large amount of inferences coming from the various user nodes. These inferences are, however, authorized, while that of the adversary is not. To avoid detection and the vagaries that come with it, the adversary will obfuscate the instructions using wiry techniques such as adding massive junk data or applying steganography. In a system where a mounting of data is moving, it is hard enough to detect instructions that do not belong. It becomes that much harder if a form of smokescreen has been added to the instructions. There is also the more advanced Multilayer Encryption, which can be considered as an adversary using a form of CND to command and control a system which has its own CND system.
The CND system will be calibrated to detect commands that do not belong, or that emanate from a source that is not authorized. The adversary can, however, use a Multilayer Encryption so that the CND is unable to decrypt the instructions and establish them to be some form of an attack. Without the ability to detect that an attack is taking place, the CND system will be hapless against the command and control inferences from the adversary.