Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection.
Profile 'outbound' traffic data:
Some outliers can be:
Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:
#Comment if you have additional tips.
Profile 'outbound' traffic data:
- how much data is sent?
- who usually sends the data?
- where are we sending the data (IP, Port)?
- When it's usually sent?
Some outliers can be:
- 24/7 Outbound Connection (Keep an eye)
- Unauthorized C2 or VPN Connections
- Insiders malicious activities
Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:
- High Bandwidth TLD
- Low Level TLD
- Top 10 TLD By Bandwidth
- Top 10 Second Level Domain by Bandwidth
#Comment if you have additional tips.