Which two state... (CnC) phase in the cyber kill chain model?

Which two statements are true regarding the command-and-control (CnC) phase in the cyber kill chain model? (Choose two.)

CnC is the process of the external threat actor beaconing inbound connection to secure servers or hosts in an organization to establish a communication channel.
CnC is the process of the exploited hosts beaconing outbound or out of the network to an Internet-based controller to establish a communications channel.
Once CnC is established with the exploited target, threat actors have access to the target system and ultimately the entire network itself.
APT malware and most other forms of implants do not require manual interaction with the target to begin the process of data exfiltration or other reconnaissance actions that are external to the outside network.

Explanation & Hint:

Among the statements provided about the Command-and-Control (CnC) phase in the Cyber Kill Chain model, the two true statements are:

“CnC is the process of the exploited hosts beaconing outbound or out of the network to an Internet-based controller to establish a communications channel.” – This statement is true. In the Command-and-Control phase, compromised systems typically reach out (beacon) to an attacker-controlled server over the internet. This establishes a communication channel that the attacker can use to control the compromised system and potentially issue further commands or extract data.
“Once CnC is established with the exploited target, threat actors have access to the target system and ultimately the entire network itself.” – This statement is also true. Establishing a Command-and-Control channel allows threat actors to interact with the compromised system, execute commands, and potentially move laterally within the network to gain broader access.

The other statements are not entirely accurate:

“CnC is the process of the external threat actor beaconing inbound connection to secure servers or hosts in an organization to establish a communication channel.” – This statement is misleading. While inbound connections can occur in some scenarios, the more typical pattern in CnC is for the compromised host to initiate outbound connections to the attacker’s server.
“APT malware and most other forms of implants do not require manual interaction with the target to begin the process of data exfiltration or other reconnaissance actions that are external to the outside network.” – This statement is somewhat misleading. While it’s true that many forms of APT (Advanced Persistent Threat) malware can operate autonomously to some extent, they often still require some level of initial direction or ongoing interaction from the attacker, especially for complex tasks like targeted data exfiltration or specific reconnaissance actions. The level of manual interaction can vary greatly depending on the sophistication of the malware and the objectives of the attack.