Analyzing Network IOCs Flashcards
A sign that an asset or network has been attacked or is currently under attack
▪ Port scan or sweep
▪ Non-standard port usage
▪ Covert channels
Indicator of Compromise
A sharp increase in connection requests in comparison with a given baseline
Traffic Spikes
An attack that uses multiple compromised hosts (a botnet) to overwhelm a
service with request or response traffic
Distributed Denial of Service (DDoS)
Causing a website to crash when a smaller website becomes popular quickly due
to exposure on social sharing sites like Slashdot, Reddit, and Twitter
Slashdot Effect (slashdotting)
A means for a network node to advertise its presence and establish a link with
other nodes
Beaconing
An adversary’s use of a random delay to frustrate indicators based on regular
connection attempt intervals
Jitter
A group communication protocol with networks divided into discrete channels
that are the individual forums used by clients to chat
Internet Relay Chat (IRC)
A set of data that describes and gives information about other data
Metadata
P2P is the predominant type of user traffic is to and from clients and servers within most networks
P2P
o Attack indicator where hosts within a network establish connections over
unauthorized ports or data transfers
o Attacker’s commonly use Server Message Block (SMB) since it is typical within
Windows File/Printer sharing environments
Irregular Peer-to-Peer (P2P) Communication
Occurs when an attacker redirects an IP address to a MAC address that was not its
intended destination
ARP Spoofing or ARP Poisoning
An unauthorized device or service, such as a wireless access point, DHCP server,
or DNS server, on a corporate or private network that allows unauthorized
individuals to connect to the network
Rogue Devices
A process of identifying (and removing) machines on the network that are not
supposed to be there
Rogue System Detection
A physical device that is attached to cabling to record packets passing over that
network segment
Network Tap
Rogue devices often begin their attack by scanning and sweeping to find other hosts and vulnerabilities
Scans and Sweeps