惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Cloudbric
Cloudbric
aimingoo的专栏
aimingoo的专栏
D
Docker
量子位
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
小众软件
小众软件
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - Franky
S
Schneier on Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Tor Project blog
Google Online Security Blog
Google Online Security Blog
T
Tenable Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
InfoQ
罗磊的独立博客
P
Palo Alto Networks Blog
Security Latest
Security Latest
K
Kaspersky official blog
Apple Machine Learning Research
Apple Machine Learning Research
I
Intezer
C
Cybersecurity and Infrastructure Security Agency CISA
TaoSecurity Blog
TaoSecurity Blog
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
W
WeLiveSecurity
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
N
Netflix TechBlog - Medium
爱范儿
爱范儿
S
Secure Thoughts
S
Securelist
MyScale Blog
MyScale Blog
Webroot Blog
Webroot Blog
IT之家
IT之家
Cyberwarzone
Cyberwarzone
Martin Fowler
Martin Fowler
Project Zero
Project Zero
NISL@THU
NISL@THU
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
H
Hacker News: Front Page
H
Heimdal Security Blog
博客园_首页
V
Vulnerabilities – Threatpost
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recent Announcements
Recent Announcements
Blog — PlanetScale
Blog — PlanetScale
The Cloudflare Blog

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Why Modern C2 Detection Requires Behavioral Modeling, Not Decryption
Zoey Chu · 2026-06-08 · via Vectra AI Blog

Command and control is central to modern attacks. Once an attacker gains access to a system, they need a way to control it. That control depends on a compromised asset reaching back to attacker infrastructure, retrieving instructions, and carrying out actions. Command and control (C2) is what keeps the attack operational it runs from the start of the attack all the way to impact.

That is why command and control evasion matters so much.

Modern C2 frameworks are not simply encrypted channels carrying obviously malicious payloads. They are built so the communication itself look completely ordinary – like traffic to any normal website. A malleable profile configured to resemble a common web service does not reveal attacker intent once decrypted. The traffic can still look routine. The payload can still look ambiguous. The callback can still resemble normal application behavior.

This is why decryption does not work to find and stop modern attackers.

Decryption assumes that if defenders can read the traffic, they can identify the threat. That assumption breaks down against modern C2. Once decrypted, there is often no explicit signature that says “this is attacker control.” No obvious command. No clean payload marker. No clear point in the session where the traffic identifies itself as malicious. The attacker does not need the traffic to stay hidden. The attacker only needs it to avoid looking threatening.

That is the core problem. Decryption reveals contents, but modern C2 is built so the contents do not produce a reliable detection signal.

Domain reputation does not solve the problem either.

Attackers increasingly reuse reputable domains, leverage infrastructure with established history, or operate from public cloud environments where their traffic is buried among massive volumes of legitimate application activity. Rare domains are noisy signals, with potentially dozens of new external sites being contacted in an enterprise on a daily basis. Cloud IP space often has to be trusted because the business depends on it. As a result, destination-based trust is no longer a dependable way to identify command and control.

Modern C2 evasion attacks both assumptions at once.

Decryption does not work because there is no reliable payload signature.

Reputation does not work because there is no reliable destination signal.

How Sophisticated C2 Evasion Has Become

Frameworks have evolved their evasion beyond encryption and reputation measures.

Other tools network monitoring may focus on the signal of the regularity of a command and controls callback, e.g. a beacon. A compromised system would call home at predictable intervals, creating a rhythm that could identify. That rhythm can be useful because constant control creates repetition, and repetition creates signal.

However, there are two failure points with this approach.

Beacons themselves drive a lot of benign tools like the check-in of an EDR or an update of a stock ticker.  Triggering on every beacon can generate hundreds of alerts per-day in an enterprise.  With tricks like rarity only partially bring down the noise due again to the rarity of destinations combined with the potential suppressing threat signal when attackers use public IP spaces.

Second, modern attack frameworks now directly obfuscate this consistent signal – completely evading tools that look just for beacons.

Attack tools will vary callback timing.  They silence callbacks for periods of time. They break the consistency defenders have historically relied on while preserving the attacker’s ability to maintain control.

The Sliver framework is an example of the sophistication of evasion because its evasion is not limited to timing jitter. It also applies aggressive data jitter through mechanisms such as multi-layered URI rotation and  randomly selects an encoder from Sliver’s encoders to modify the appearance of transmitted data, which disrupt byte-count consistency across callbacks. In contrast to many frameworks where these evasions are optional, Sliver’s data jitter is always enabled and layered enough to break simpler beacon-based assumptions.

This matters because it removes one of the last obvious indicators defenders could still use after payload visibility and destination trust had already been weakened.

A simpler detection approach in the past could look for frequent callbacks, fixed timing, or repeated session patterns. Modern C2 is designed to break exactly those assumptions. What remains is not a clear beacon signature. It is a much weaker and more subtle pattern of control that only becomes visible over time.

And yet, even with all of this evasion, one thing does not change.

A C2 channel still exists to let an attacker control a system. That means the compromised system must continue reaching out to obtain instructions and maintain control. The infected asset initiates communication to a server controlled by the attacker.

Attackers can hide aspects of their activity but they cannot eliminate the need to control and the unique signal that control creates.

The Signal That Matters

The strongest signal in modern C2 is not the payload, the domain, or a single suspicious flow.

It is the statistical behavioral patterns of control as it appears over time.

When a command and control is used, there is a subtle inversion of control from standard traffic. It remains true even when payloads are ambiguous, destinations look reputable, and callback timing is heavily manipulated.

That signal is not visible to the naked eye. It does not show up in one packet or one transaction. It emerges across callback events and flows. It appears in the relationship between who is initiating communication, how that communication evolves, and how the control pattern persists even when the attacker changes surface characteristics.

This is why modern C2 detection is not an inspection problem. It is a modeling problem.

The challenge is not to decrypt more traffic. The challenge is to identify the underlying pattern of control that survives encryption, benign-looking profiles, reputable infrastructure, public cloud hosting, callback randomization, and silence.

How Vectra AI Solves the Problem with AI

Vectra AI is built to detect that deeper signal of control.

We do not rely on decryption to reveal attacker intent. We do not rely on domain reputation to tell us a destination is bad. We do not rely solely on a rigid notion of beacon regularity. Instead, Vectra AI focuses on the behavioral indicators of command and control that persist across time, regardless of how the attacker tries to disguise the channel.

That requires the right modeling approach.

To detect this subtle signal, Vectra AI built and deploys, in customer environments, a compact sequence model that combines an LSTM with a self-attention layer. The design borrows the most useful mechanism popularized by modern language models, attention, but keeps the architecture focused on sequential network behavior and compact enough to deploy directly on sensors.

The model was trained in two stages. First, it learned from large volumes of unlabeled network telemetry so it could understand the baseline structure of normal communications without depending entirely on hand-labeled examples. That pre-training step helped the model develop a representation of how benign traffic behaves over time. It was then fine-tuned with malicious C2 samples generated using automated attack lab infrastructure and real-world samples spanning the configuration and profile space of available tools and custom C2 frameworks, combined with benign traffic samples, so it could distinguish subtle control patterns that remain even when attackers randomize timing, vary payload size, rotate URIs, or otherwise try to break obvious beaconing signatures.

At over 6 million parameters, compared with roughly 110 million for a small BERT baseline, the model stays compact enough to run in customer environments, even ones that are air-gapped, while still capturing longer-range behavioral structure.

This matters because successful C2 detection is not about finding a static indicator in a payload or flagging a suspicious destination. It is about recognizing the behavioral shape of control that persists beneath those evasions.

Vectra AI detects modern C2 without depending on decryption, without relying on destination reputation, and without anchoring only on classic beaconing signals that modern attackers have deliberately weakened.

The proof of this approach is ultimately in its validation across our customer base, where it has surfaced countless real-world attacks and alerted on red team engagements that other tools were unable to detect because of these evasions, all without generating excessive noise that could bury the signal.

And that is only one part of the story.

No attack ends with a C2 channel. Command and control enables what comes next, reconnaissance, lateral movement, privilege escalation, persistence, data access and exfiltration, and cloud activity. Vectra AI extends this behavioral-based, AI-driven approach across those behaviors as well, correlating signals across techniques, across the network, identity and the cloud to expose and stop real attacks.

To learn more about Vectra’s Silver C2 take a look a deep dive here:

To start stopping encrypted threats in your environment get a demo.