Analyzing Network IOCs Flashcards
A sign that an asset or network has been attacked or is currently under attack
▪ Port scan or sweep
▪ Non-standard port usage
▪ Covert channels
Indicator of Compromise
A sharp increase in connection requests in comparison with a given baseline
Traffic Spikes
An attack that uses multiple compromised hosts (a botnet) to overwhelm a
service with request or response traffic
Distributed Denial of Service (DDoS)
Causing a website to crash when a smaller website becomes popular quickly due
to exposure on social sharing sites like Slashdot, Reddit, and Twitter
Slashdot Effect (slashdotting)
A means for a network node to advertise its presence and establish a link with
other nodes
Beaconing
An adversary’s use of a random delay to frustrate indicators based on regular
connection attempt intervals
Jitter
A group communication protocol with networks divided into discrete channels
that are the individual forums used by clients to chat
Internet Relay Chat (IRC)
A set of data that describes and gives information about other data
Metadata
P2P is the predominant type of user traffic is to and from clients and servers within most networks
P2P
o Attack indicator where hosts within a network establish connections over
unauthorized ports or data transfers
o Attacker’s commonly use Server Message Block (SMB) since it is typical within
Windows File/Printer sharing environments
Irregular Peer-to-Peer (P2P) Communication
Occurs when an attacker redirects an IP address to a MAC address that was not its
intended destination
ARP Spoofing or ARP Poisoning
An unauthorized device or service, such as a wireless access point, DHCP server,
or DNS server, on a corporate or private network that allows unauthorized
individuals to connect to the network
Rogue Devices
A process of identifying (and removing) machines on the network that are not
supposed to be there
Rogue System Detection
A physical device that is attached to cabling to record packets passing over that
network segment
Network Tap
Rogue devices often begin their attack by scanning and sweeping to find other hosts and vulnerabilities
Scans and Sweeps
Enumerating the status of TCP and UDP ports on a target system using software
tools
Port Scan
Identifying the type and version of an operating system (or server application) by
analyzing its responses to network scans
Fingerprinting
A scan directed at multiple IP addresses to discover whether a host responds to
connection requests for particular ports
Sweep
Phase of an attack or penetration test in which the attacker or tester gathers
information about the target before attacking it
Footprinting
The Internet Assigned Numbers Authority (IANA) maintains a list of well-known
and registered TCP and UDP port mappings
Nonstandard Port Usage
Ports 0 to 1023
Well-known Ports
Ports 1024 to 49151
Registered Ports
Ports 49152 to 65535
Dynamic Ports
Communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port
that is not the well-known or registered port established for that protocol
Non-standard Port
An attacker opens a listening port that exposes the command prompt on the local
host and connects to that port from a remote host
Shell
An attacker opens a listening port on the remote host and causes the infected
host to connect to it
Reverse Shell
The process by which an attacker takes data that is stored inside of a private
network and moves it to an external network
Data Exfiltration
An attacker uses commercial file sharing services to upload the exfiltrated data
from a victim
HTTP or HTTPS Transfers
An adversary may use SQL injection or similar techniques to copy records from
the database to which they should not have access
HTTP Requests to Database Service
Use of DNS queries to transmit data out of a network enclave
DNS
Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and
data sharing tools
Overt Channels
Use of SSH or VPNs to create a tunnel to transmit the data across a given network
Explicit Tunnels
