Command and Control (C2): the direct line with the attacker
With the presence established in the compromised system, the attacker needs a communication channel to control the infected assets and send commands. The control and control phase (C2) establishes this connection between the committed system and the infrastructure controlled by the attacker. This communication can occur through various protocols (HTTP, DNS, etc.) and is often overshadowed to avoid detection by firewalls and intrusion detection systems. The C2 channel allows the attacker to run commands, transfer files and advance to their goals.
Malware communicates with the striker’s infrastructure to:
- Receive commands
- Send collected data
- Update Malware
Typical channel: http, https, dns tunneling, c2 via telegram or discord
Objective: Maintain the remote control of the invaded system.
Actions on Objectives: reaching the purpose of the attack
The final phase of Cyber Kill Chain is where the striker takes the actions to achieve his initial goals. These objectives may vary widely, including confidential data theft (intellectual property, financial information, customer data), service interruption (denial attacks), extortion (ransomware), data destruction or even spy. The actions at this stage are the result of all previous steps and represent the final impact of the attack.
The striker performs his main intentions, such as:
- Data theft (Exphration)
- File encryption (ransomware)
- Sabotage or Destruction of Systems
- Corporate spy
Objective: To fulfill the final purpose of the attack, which can be financial, political, or strategic.
Based on this structure I created an iterative map to better understand the above topics representing a graph with the sequences of the steps to be performed. As follows below:
Figure1: Interactive Chart Cyber Kill Chain