A command-and-control server (C2) is a server used by attackers to remotely control malware on compromised systems. Through the C2 channel, malware receives commands and exfiltrates stolen data.
In an ISMS, detecting C2 communication is part of the requirements under ISO 27001 Annex A controls A.8.16 (Monitoring Activities) and A.8.20 (Network Security). Typical detection approaches include DNS monitoring (unusual domains, DNS tunneling), network traffic analysis (beaconing patterns, encrypted connections to unknown endpoints), and threat intelligence feeds with known C2 infrastructure. Modern C2 frameworks such as Cobalt Strike or Sliver use encrypted channels over HTTPS or DNS, making detection more challenging.