After breaking in, what do "lateral movement", "command & control", and "internal reconnaissance" mean in the attack chain?
Lateral movement = spreading to more systems; C2 = the attacker's remote-control channel; internal recon = mapping the network from inside.
Once inside, the attacker doesn't immediately detonate ransomware. They work methodically:
- Command & Control (C2): the compromised host phones home to the attacker's C2 server, giving remote control and a path to download tools.
- Internal reconnaissance: map the internal network — find domain controllers, file servers, the backup server, where the valuable data lives.
- Lateral movement: use stolen credentials/exploits to hop from the first foothold to more systems (especially toward the datacenter and domain controllers).
Why this "dwell time" matters: the gap between intrusion and encryption is the defender's opportunity — detect the C2 traffic or the recon/lateral movement and you can stop the attack before the ransomware fires. This is the whole rationale for EDR and network monitoring.
Tip: Attackers specifically hunt the backup system during recon — destroying or encrypting backups first is what forces victims to pay.