C&C Communication

Malware can do very little damage to users on its own. To spread, avoid detection, and perform harmful activities like data and CPU theft, malicious code needs to connect to an external server. Cybercriminals use these external command and control (C&C) servers to send instructions, perform reconnaissance and exfiltrate sensitive user data. Communication with an external C&C server is the 6th of the seven stages in the Cyber Kill Chain developed by Lockheed Martin.

This means that devices can be infected with all types of dangerous malware, but as long as the service provider blocks it from connecting with its C&C puppet master, the user will be protected.

C&C Servers Funnel

How are Users Infected?

Initial malware infection can start in any number of ways, the most common being Phishing, email or chat, download from an infected website, app, or software.

Malicious Activity

Once a malware has infected the device it can start collecting information about the device and user (reconnaissance), attempt to reach other devices within the organization (lateral movements), then establish connection with the command and control server to receive its next set of instructions. In some instances, the malware will be used to hijack CPU for illegal bitcoin mining (crytpojacking), causing the device to run slowly, overheat, consume large amounts of electricity and shorten battery life. Others will search for sensitive data and send it out the C&C server to be used in further criminal
activity (data exfiltration). Cybercriminals also use C&C servers to build and coordinate large networks of compromised devices (botnets) into botnets that are used to launch other attacks in a dynamic and distributed manner that is very stealthy and difficult to defend against.

C&C Communication Scheme


While traditional client-based antivirus try to prevent and remove malware from devices, cybercriminals are able to easily evade detection, meaning almost every device will have some type of undetected malware infection. If the user is protected by Allot Secure, even if the device is infected, the malware communication with the C&C will be blocked, thwarting this crucial attack stage and preventing damage.

Allot Secure C&C Connection Blocks

During 2020 Allot Secure protected users in Europe from communicating with and sending
sensitive personal data to cybercriminal operated C&C servers 5,295,271 times.

Allot Secure C&C Connection Blocks: 2020, Europe
Allot Secure C&C Blocks Europe Chart


Protect Subscribers from Connection to C&C Servers with Allot Secure

Allot Secure allows CSPs to protect their subscribers from all types of cyberthreats by offering security as a service (SECaaS) from the network. Up-to-date threat intelligence and in-line anti-virus scanning protects users from connecting to C&C servers, malicious browser trackers, and all types of
malware, banking Trojans, crypto jacking, ransomware, and IoT specific attacks such as Mirai and its variants.

Allot Secure unifies network-based security, home, and business gateway security and security clients into the CSP’s own branded security service. It delivers a seamless customer experience through a single interface for policy setting, reporting, and event handling.

Security Layers CSP Interfaces

To learn more about how service providers can increase customer satisfaction, NPS, and ARPU by offering Allot Network Security Solutions, download the Telco Security Trends Report:

How Effective are CSP Security Services for the Mass Market?
or watch this video: How Allot NetworkSecure Works.