How to Spot C2 Traffic on Your Network

How to Spot C2 Traffic on Your Network

Jul 30, 2021

Attackers often hide their command and control (C2) activity using techniques like encryption, tunneling in noisy traffic like DNS, or domain generation algorithms to evade blacklists.

Reliably spotting C2 traffic requires a comprehensive network security monitoring capability like open source Zeek that transforms packets into connection-linked protocol logs that let analysts make fast sense of traffic. Corelight’s commercial NDR solutions generate this Zeek network evidence and also provide dozens of proprietary C2 insights and detections.

Tune into this webcast for technical demonstrations of how security analysts can use Zeek logs and Corelight insights to identify dozens of C2 techniques in their environment.


Vince Stoffer, Sr. Director of Product Management, Corelight

Vince Stoffer is Sr. Director of Product Management at Corelight and previously held security engineering and network management positions at Lawrence Berkeley National Laboratory and before that served as a network security engineer at Reed College. Vince holds the CISSP, GCIH and GCIA certifications.

Matt Bromiley, SANS Instructor

Matt Bromiley is a principal incident response consultant at a top digital forensics and incident response (DFIR) firm. In the DFIR firm Matt assists clients with incident response, digital forensics, and litigation support. He also serves as a GIAC Advisory Board member, a subject-matter expert for the SANS Security Awareness, and a technical writer for the SANS Analyst Program. Matt brings his passion for digital forensics to the classroom as a SANS Instructor for FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics, and FOR572: Advanced Network Forensics, where he focuses on providing students with implementable tools and concepts.