Profile 'outbound' traffic data:
- how much data is sent?
- who usually sends the data?
- where are we sending the data (IP, Port)?
- When it's usually sent?
Some outliers can be:
- 24/7 Outbound Connection (Keep an eye)
- Unauthorized C2 or VPN Connections
- Insiders malicious activities
Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:
- High Bandwidth TLD
- Low Level TLD
- Top 10 TLD By Bandwidth
- Top 10 Second Level Domain by Bandwidth
#Comment if you have additional tips.