LOGBOOK

HELP

Quiz Entry - updated: 2026.05.28

After breaking in, what do "lateral movement", "command & control", and "internal reconnaissance" mean in the attack chain?

Lateral movement = spreading to more systems; C2 = the attacker's remote-control channel; internal recon = mapping the network from inside.

Once inside, the attacker doesn't immediately detonate ransomware. They work methodically:

  • Command & Control (C2): the compromised host phones home to the attacker's C2 server, giving remote control and a path to download tools.
  • Internal reconnaissance: map the internal network — find domain controllers, file servers, the backup server, where the valuable data lives.
  • Lateral movement: use stolen credentials/exploits to hop from the first foothold to more systems (especially toward the datacenter and domain controllers).

Why this "dwell time" matters: the gap between intrusion and encryption is the defender's opportunity — detect the C2 traffic or the recon/lateral movement and you can stop the attack before the ransomware fires. This is the whole rationale for EDR and network monitoring.

Tip: Attackers specifically hunt the backup system during recon — destroying or encrypting backups first is what forces victims to pay.

From Quiz: ISF / Foundations, Key Terms & Ransomware | Updated: May 28, 2026