Most threats need to connect to an environment outside the organisation, where they can communicate with the operators of these threats (Threat Actors) in order to receive instructions, filter information, etc. These communications are generally not against the final environments of these actors, but are towards servers that control, centralise the information and perform the necessary actions. These servers are known as Command and Control, C&C or C2 servers.
It is important to note that these C2 servers do not have a unique way of intercommunicating with the “agents” they may be communicating with, as they rely on different protocols, encryption algorithms and even using legitimate applications to communicate, without drawing the attention of compromised users or security teams.
Identifying whether there are connections in your organisation’s perimeter whose origin or destination are servers catalogued as C2 is a way of detecting compromises in your environment, for which it is necessary to have a knowledge base fed by services specialised in compiling indicators of compromise (IOCs), lists in which you can review the connections in your environment and look for matches.