5B. Network-related IoCs obj 4.3

Question 1

Network flows

Answer 1

Information gathered from capturing traffic data that passes through inline devices.

Question 2

Netflow

Answer 2

A standard for monitoring traffic flows. They collect metadata about traffic at network device interfaces and then send the info to flow collectors for analysis.

Question 3

Active monitoring

Answer 3

techniques that reach out to remote systems/devices to gather data. Collects data about:
- availability
- routes
- packet delay/loss
- bandwidth

e.g., Pings

Question 4

Passive monitoring

Answer 4

relies on capturing information as traffic passes a location and uses a tap to send a copy of the traffic between two endpoints.

Question 5

Network Monitoring tools

Answer 5

SNMP
- protocol for sending information and events as SNMP traps

WMI

Question 6

DRDoS

Answer 6

Distributed Reflection DoS
- network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor

Question 7

Beaconing

Answer 7

• activity that is sent to a C2 over HTTP/S.
• Difficult to spot as it blends in with other traffic + encrypted.
• IPS/IDS to detect

Question 8

Indicators of DoS

Answer 8

• traffic spike
• excessive number of TIME_WAIT connections
• high number of HTTP 503 errors

Question 9

Beaconing detection

Answer 9

• capture metadata about all sessions established or attempted and analyse for patterns the indicate suspicious activity

Question 10

Internet Replay Chat (IRC) (C2)

Answer 10

Communication protocol commonly used by adversaries for C2 communication.
- Easy to detect and often blocked by orgs

Question 11

HTTP and HTTPS (C2)

Answer 11

Cannot be blocked by orgs as it is a necessity.
- hard to distinguish C2 traffic from normal traffic
- encrypted

Can be mitigated by using proxy that intercepts, decrypts and inspects traffic, and re-encrypt only legitimate traffic

Question 12

Domain Name Systen (DNS) (C2)

Answer 12

• DNS not inspected/filtered in private networks
• Commands are sent via request or response queuries

Question 13

How to detect DNS (C2)

Answer 13

Adversaries will break their control msgs into several query chunks to avoid detection.

• lookout for long, complicated queries
• lookout for repeated queries

Question 14

Social Media Websites (C2)

Answer 14

• issue commands via messaging functionality or account profiles

Question 15

Cloud services (C2)

Answer 15

• scalable and reliable cloud structures are attractive to adversaries
• can be free to use

Question 16

Irregular peer-to-peer communications

Answer 16

• indicates hosts within a network that have established a connection over unauthorised ports or data transfers
• Server Message Block (SMB)

Question 17

ARP spoofing/poisoning

Answer 17

attacker redirects an IP address to a MAC address that was not its intended destination

Question 18

Rogue devices and mitigation

Answer 18

An unauthorised device on a private network (e.g., WAP, DHCP) that allows someone to connect to the network.
- Mitigate by using digital certificates on endpoints and servers to authenticate and encrypt traffic using IPSec or HTTPS

Question 19

Examples of Rogue systems

Answer 19

• network taps
• WAPs
• Servers
• software
• wired/wireless clients
• VMs
• smart appliances

Question 20

Techniques to perform Rogue Machine Detection

Answer 20

• Visual inspection of ports/switches
• network mapping/host discovery
• wireless monitoring (i.e., observing for unknown SSIDs)
• packet sniffing/traffic flow (observing use of unauthorised protocols and unusual peer-to-peer comm flows
• NAC/intrusion detection

Question 21

Fingerprinting

Answer 21

identifying type/version of OS (or server application) by analysing its responses to network scans

Question 22

Sweep

Answer 22

scan directed at multiple IP addresses to discover whether a host responds to connection requests to certain ports

Question 23

Footprinting

Answer 23

Phase of attack where information about the target is gathered before attacking

Question 24

mismatched port

Answer 24

Communicating non-standard traffic over a well-known or registered port

Question 25

Well-known Ports are in what range?

Answer 25

0-1023

Question 26

Registered Ports are in what range?

Answer 26

1024-49151

Question 27

Dynamic Ports are in what range?

Answer 27

49152-65535 (regular use of these ports may indicate malicious activity)

Question 28

Non-standard port

Answer 28

Communicating TCP/IP traffic over a port that is not intended for that protocol

Question 29

IoCs (Non-standard port)

Answer 29

• use of a non-standard port when a well-known port is already established for that protocol
• malware might use a non-standard port other than 53 for DNS traffic
• mismatched port

Question 30

Mitigation (Non-standard port)

Answer 30

• configure firewall to allow only whitelisted ports to communicate on ingress/egrees interfaces
• configuration documentation should show which server ports are allowed on any given host type
• configure detection rules to detect mismatched protocol usage over a standard port

Question 31

shell vs reverse shell

Answer 31

A shell is where an attacker opens a listening port that exposes the Cmd prompt on the local host and connects to that port from the remote host, while a reverse shell is where the attacker opens a listening port on the remote host and forces the local host to connect to it

Question 32

Netcat (nc)

Answer 32

Utility for reading and writing raw data over a network connection that is often
used as a listener for remote shells

• setup listener: nc -l -p 443 -e cmd.exe
• connect to listener: nc 10.1.0.1 443

Question 33

Data Exfiltration IoCs

Answer 33

• HTTP(S) channel with public storage services (e.g., adversary may exfiltrate data to OneDrive)
• Web app attacks (e.g., SQLi)
• DNS as a data exfiltration or C2 channel (server log growth, increased use of certain queries)
• IM, P2P, email, FTP
• Encrypted tunnels (IPsec, SSL, active VPN sessions)

Question 34

Covert channel for data exfiltration (IoCs)

Answer 34

• take advantage of a lack of egress filtering to transmit data over nonstandard port
• data encoded into protocol headers
• fragmenting (breaking data into multiple packets to evade signature analysis and DLP)
• steganography to obfuscate data
• encryption of data that cannot be inspected as it leaves network