Modern computer usage has seen an ever-increasing use of the Internet. More and more business is being conducted on or over the Internet, communication via the Internet is the norm for many transactions, and many people now socialise via sites on the Internet. This is generally seen as a beneficial progression of technology; however, any progress can be used negatively as well as positively, and so the Internet is also used as a conduit for malware and crime.
BotNets are familiar to many users as a network of infected machines that are controlled for the purposes of sending spam and other attacks. More complex and long-lived malware with more specific goals has recently emerged as the major threat to many organisations, often referred to as Advanced Persistent Threats (APTs). BotNets, APTs and other prolonged attacks require further instruction and remote control to be successful, including information such as where to attack or which machines to collect information from. This prolonged control requires some form of communication channel over which commands and results can be sent. This is known as a Command and Control (C2) channel. In addition to this channel, APT attacks will often have a data exfiltration channel that may or may not use the same mechanism as the C2 channel.
The documents below describe the threats to the networked world that we live in, concentrating particularly on the C2 channel of malware and APTs. They describe what C2 achieves, how C2 works, how C2 can be defended against, and examples of C2 channels that we have seen in the wild. This information is available as:
A detailed report
, including findings and recommendations to improve defence beyond the Council on CyberSecurity’s Top 20 Critical Controls
explaining how C2 is established and used, and how it can be detected and disrupted
QinetiQ would like to acknowledge the help and support of CPNI in producing this Command and Control document and the accompanying material.