This article is part of a series on understanding the processes and tools behind an APT-based incident. CSO examines the Command & Control phase, often referred to as C2. During this phase, the attacker(s) are on the network, and depending on their objectives, will start focusing on their endgame. At this point it’s worth asking the question; were you a victim of opportunity or directly targeted? The answer will determine the type of C2 you’re dealing with.”]