Pattern recognition is a technique that is used to tie known patterns from incoming data in order to classify the pattern, assuming the data coming in are full and accurate. Command and control (C2) is a backdoor technique that attackers use to maintain connection with a compromised machine. MITRE ATT&CK site has known command and control techniques like fast flux DNS dynamic resolution or ingress tool transfer which all has specific patterns. When you monitor and filter traffic on your network, you should be able to pick up on certain activities and tie them to specific techniques.
Beaconing is a malicious communication between command and control server and an infected host. It’s basically the malware letting the C2 server know that the host is still infected and the threat actor can continue to conduct operations. Beaconing is a sure tell sign of command and control. Collecting log files from many sources as possible is critical when you look for signs of command and control traffic. This is because command and control can be conducted over multiple means like DNS and social media. You should look for unusual patterns by logging and inspecting all packets to perform statistical analysis.
HansITAcademy 