5B. Network-related IoCs obj 4.3 Flashcards
Network flows
Information gathered from capturing traffic data that passes through inline devices.
Netflow
A standard for monitoring traffic flows. They collect metadata about traffic at network device interfaces and then send the info to flow collectors for analysis.
Active monitoring
techniques that reach out to remote systems/devices to gather data. Collects data about:
- availability
- routes
- packet delay/loss
- bandwidth
e.g., Pings
Passive monitoring
relies on capturing information as traffic passes a location and uses a tap to send a copy of the traffic between two endpoints.
Network Monitoring tools
SNMP
- protocol for sending information and events as SNMP traps
WMI
DRDoS
Distributed Reflection DoS
- network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor
Beaconing
- activity that is sent to a C2 over HTTP/S.
- Difficult to spot as it blends in with other traffic + encrypted.
- IPS/IDS to detect
Indicators of DoS
- traffic spike
- excessive number of TIME_WAIT connections
- high number of HTTP 503 errors
Beaconing detection
- capture metadata about all sessions established or attempted and analyse for patterns the indicate suspicious activity
Internet Replay Chat (IRC) (C2)
Communication protocol commonly used by adversaries for C2 communication.
- Easy to detect and often blocked by orgs
HTTP and HTTPS (C2)
Cannot be blocked by orgs as it is a necessity.
- hard to distinguish C2 traffic from normal traffic
- encrypted
Can be mitigated by using proxy that intercepts, decrypts and inspects traffic, and re-encrypt only legitimate traffic
Domain Name Systen (DNS) (C2)
- DNS not inspected/filtered in private networks
- Commands are sent via request or response queuries
How to detect DNS (C2)
Adversaries will break their control msgs into several query chunks to avoid detection.
- lookout for long, complicated queries
- lookout for repeated queries
Social Media Websites (C2)
- issue commands via messaging functionality or account profiles
Cloud services (C2)
- scalable and reliable cloud structures are attractive to adversaries
- can be free to use
Irregular peer-to-peer communications
- indicates hosts within a network that have established a connection over unauthorised ports or data transfers
- Server Message Block (SMB)
ARP spoofing/poisoning
attacker redirects an IP address to a MAC address that was not its intended destination
Rogue devices and mitigation
An unauthorised device on a private network (e.g., WAP, DHCP) that allows someone to connect to the network.
- Mitigate by using digital certificates on endpoints and servers to authenticate and encrypt traffic using IPSec or HTTPS
Examples of Rogue systems
- network taps
- WAPs
- Servers
- software
- wired/wireless clients
- VMs
- smart appliances
Techniques to perform Rogue Machine Detection
- Visual inspection of ports/switches
- network mapping/host discovery
- wireless monitoring (i.e., observing for unknown SSIDs)
- packet sniffing/traffic flow (observing use of unauthorised protocols and unusual peer-to-peer comm flows
- NAC/intrusion detection
Fingerprinting
identifying type/version of OS (or server application) by analysing its responses to network scans
Sweep
scan directed at multiple IP addresses to discover whether a host responds to connection requests to certain ports
Footprinting
Phase of attack where information about the target is gathered before attacking
mismatched port
Communicating non-standard traffic over a well-known or registered port