The processes and tools behind a true APT campaign: Command & Control

In this stage of the APT campaign, attackers have infiltrated the network and are beginning to work toward their endgame

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, weaponization and delivery, exploitation and installation, and exfiltration.

In part four of a series on understanding the processes and tools behind an APT-based incident, CSO examines the Command & Control phase, often referred to as C2. During this phase, the attacker(s) are on the network, and depending on their objectives, will start focusing on their endgame.

[Cybercriminals increasingly use the Tor network to control botnets, researchers say]

"The first 'phone home' activity will usually take place directly following infection, activity at this point will include establishing the channel and downloading further tools for local reconnaissance, credential theft and escalation of privileges," Rik Ferguson, the VP Security Research at Trend Micro, told CSO.

The attacker(s), having completed the reconnaissance, weaponization and delivery, and the exploitation and installation phases, has declared open season on your network. At this point it's worth asking the question; were you a victim of opportunity or directly targeted? The answer will determine the type of C2 you're dealing with.

As mentioned previously, passive attacks (or attacks of opportunity), are just that — passive. So when an endpoint has been compromised due to a drive-by download attack or malicious email attachment, the installation process is usually noisy. The key word here is usually, as many drive-by attacks use exploit kits, which require little user interaction, and can be rather silent.

To continue reading this article register now

Microsoft's very bad year for security: A timeline