Which technique is used to detect Command-and-Control (C2) traffic by examining network behavior such as beaconing, unusual DNS queries, connections to new domains, or anomalous User-Agents?

Detecting C2 activity comes from analyzing network traffic for patterns like beaconing, unusual DNS queries, connections to new domains, and anomalous User-Agents. This approach, network traffic analysis, focuses on how devices communicate over the network and flags behavior that deviates from normal baselines, which is where covert C2 channels tend to show up. Other security activities, such as vulnerability scanning, endpoint hardening, or security awareness training, address different layers of security—finding weaknesses, reducing attack surfaces on endpoints, or guiding user behavior—without directly monitoring and interpreting live network communications for C2 indicators.