Threat Hunting though outbound Traffic

7/4/2020

Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection.
Profile 'outbound' traffic data:

how much data is sent?
who usually sends the data?
where are we sending the data (IP, Port)?
When it's usually sent?

You can use Flow Logs or NGFW logs to get the insights. Try to see if you can find outliers.
Some outliers can be:

24/7 Outbound Connection (Keep an eye)
Unauthorized C2 or VPN Connections
Insiders malicious activities

Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns:

High Bandwidth TLD
Low Level TLD
Top 10 TLD By Bandwidth
Top 10 Second Level Domain by Bandwidth

#Comment if you have additional tips.

JANESSA MCQUINN

12/6/2021 02:32:55 pm

I have discovered the fastest money/loan funder in the entire US. He can fund you with as much as 300k just like he did mine I'm quite overwhelmed, can't believe a blank debit card which contains about $75k in it was issued to me by jamiehacking99 @ gmail . com, the amount in the card renews after every 60 days, it's a splendid algorithm hack for ATM's, so you can withdraw limitlessly without being noticed. They also repair credit reports in 2 weeks.

Comments are closed.

Threat Hunting though outbound Traffic

Categories