- Outbound IRC connections - All infected workstation will communicate to listen the commands from Command & Control Servers, most of the outbound IRC traffic is from compromised workstations.
- Required data to create above report
- Service 6660/6669/6665/6667 outbound traffic.
- Required data to create above report
- Peer File Transfer – Data transfer between peer to peer will creates a lot of noise in the network could reduce the network performance. Downloads or uploads are not from trusted domains could bring the malicious files into network
- Required data to create above report
- Understand the traffic pattern and create a rule [Netwitness Live will provide the rule for the torrent pattern]
- Proxy logs which should have a category of site should be “peer file transfer”
- Proxy logs with domain names.
- Required data to create above report
- Top Online Storage accessing - is the public storage could leak the confidential business data which could be a big a threat to organization.
- Required data to create above report
- Data should be connecting to various storage sites like – [any free/paid online storage sites]
- This report can be prepared on Log data and packet data [packet data Netwitness live default rule, Log data from proxy would be useful].
- Required data to create above report
- Dyn DNS [DDNS] – Dynamic Domain Name System Malware distributors are constantly registering and rotating Dyn DNS-hosted sub-domains that are subsequently used to spread computer Trojans.
- Required data to create above report
- Collect the DDNS ranges/IP’s manually and make a list and detect [NW live has rule to detect DDNS]
- Required data to create above report
- Phishing /spear phishing – Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers". Which could lead to APT attack?
- Required data to create above report
- All email with embedded suspicious links/urls /domains/Ip’s detected by informer rule.
- Required data to create above report
- TOR Nodes – TOR/Onion routers are used to mask the original IP address of attacker’s machines which is very hard to find the details of attackers IP address.
- Required data to create above report
- Collect the TOR/Onion router’s Address/ ranges of IPs make a list in informer and match with destination/ source Address for detection.
- Required data to create above report
- Malicious User Agents - User agent is a header field contains information about the user agent originating the request, usually compromised workstation try to communicate with external IP’s to listen the commands from CC servers. in this case malwares usually uses the user agent with poorly implemented protocols.
- Required data to create above report
- Understand the different verities of malicious user agents and make it a list and use the informer for detection.
- Top bandwidth users - Unauthorized uploads/downloads could lead to data loss/malware downloads
- Required data to create above report
- Usual packet data with size of packet is enough to generate the report
- Required data to create above report
- VNC connections inside network - VNC connection inside the network wouldn’t be safe, VNC inside network could get control for attackers.
- Required data to create above report
- Destination ports should be 5800/5900..etc.
- Required data to create above report