Digital Forensics and Incident Response | DFIR
  • Blog
  • Infosec
  • Windows Forensics
  • Mac Forensics
  • Memory Forensics
  • Incident Response
  • CISSP

Threat Hunting though outbound Traffic

7/4/2020

1 Comment

 
Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection. 
Profile 'outbound' traffic data:
  • how much data is sent? 
  • who usually sends the data?
  • where are we sending the data (IP, Port)?
  • When it's usually sent?
You can use Flow Logs or NGFW logs to get the insights. Try to see if you can find outliers.
Some outliers can be: 
  • 24/7 Outbound Connection (Keep an eye)
  • Unauthorized C2 or VPN Connections
  • Insiders malicious activities 

Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns: 
  • High Bandwidth TLD
  • Low Level TLD
  • Top 10 TLD By Bandwidth
  • Top 10 Second Level Domain by Bandwidth


#Comment if you have additional tips.
1 Comment
JANESSA MCQUINN
12/6/2021 02:32:55 pm

I have discovered the fastest money/loan funder in the entire US. He can fund you with as much as 300k just like he did mine I'm quite overwhelmed, can't believe a blank debit card which contains about $75k in it was issued to me by jamiehacking99 @ gmail . com, the amount in the card renews after every 60 days, it's a splendid algorithm hack for ATM's, so you can withdraw limitlessly without being noticed. They also repair credit reports in 2 weeks.

Reply



Leave a Reply.

    Categories

    All
    Chapter-1
    CISSP
    SOC
    Threat Detection
    Threat Hunting
    Threat Modelling

    RSS Feed