Indicator of Compromise: Network Symptoms - Paiet/Tech-Journal-for-Everything GitHub Wiki

Indicator of Compromise: Network Symptoms

  • Common network-related symptoms

  • Bandwidth consumption

    • Possible causes
      • Exfiltration of data
      • DDoS
    • Course of action
      • Detection
        • Check network monitoring
        • Create QoS rules/alerts
      • Remediation
        • Block DDoS IPs
        • NG Firewalls

  • Beaconing

    • Possible Causes
      • Malware C2
    • Course of Action
      • Detection
        • IDS/IPS
        • Network Monitoring of outbound connections
        • Netflow analysis
      • Remediation
        • DNS Sinkhole
        • Isolate affected system
        • Removal of malware with AV

  • Irregular peer-to-peer communication

    • Possible Causes
      • Malware
      • May not be malicious just unexpected
    • Course of Action
      • IDS/IPS
      • Network Monitoring
      • Traffic capture and analysis
    • Remediation
      • Take baselines
      • Behavior/Heuristic detection engine
        • NGFW

  • Rogue devices on the network

    • Detection
      • MAC Address Verification
      • Vendor MAC Whitelisting
      • Host discovery
        • Ping sweeps
      • Site Survey
      • Traffic capture and analysis
    • Remediation
      • Wired
        • NAC implementation
        • Port security
          • PracticeLabs Demo
      • Wireless
        • AP MAC address filtering
        • Encryption
        • Authentication
        • Signal strength following to find rouge host

  • Scan sweeps

    • Causes
      • Someone is actively scanning your network/hosts with a scanner
    • Course of action
      • Scanning not usually "High" on the alert list
      • Create IDS/IPS rule and corresponding alert

  • Unusual traffic spikes

    • Possible DoS/DDoS
    • Detection
      • Traffic capture and analysis
        • Type of traffic
        • Traffic spike destination
      • IDS/IPS/WAF
      • Log analysis
      • Monitoring
        • Bandwidth
        • System Utilization
    • Remediation
      • IPS
      • Firewalling

Indicator of Compromise: Host and Application Symptoms

  • Common host-related symptoms

  • Most of these symptoms are malware related

    • Processor consumption
      • Resmon
      • Task Manager
      • htop
    • Memory consumption
      • Resmon
      • Task Manager
      • htop
    • Drive capacity consumption
      • Windows explorer
      • df -h
    • Unauthorized software
      • torrents
      • games
      • Use centralized management to enforce software
        • SCCM
        • Group Policy
      • AV/Anti-malware
        • Detects malicious software
          • Weatherbug
      • Application Whitelisting/Blacklisting
    • Malicious processes
    • Unauthorized changes
    • Unauthorized privileges
    • Data exfiltration

  • Common application-related symptoms

  • Anomalous activity

  • Introduction of new accounts

  • Unexpected output

  • Unexpected outbound communication

  • Service interruption

  • Memory overflows