Compromised & Infected System Tracking

Wiki > Compromised & Infected System Tracking
Description Kill Chain Stage
Tracking compromised and infected systems is important because your computer resources and bandwidth are being used to target other people. Attacks that are launched can be traced back to you and the reputational impact of having hosts on your corporate network attacking customers and business partners. Failing to notice an attack might also make you civilly or criminally liable.
5
Threat type to monitor
■    Outbound traffic to single or multiple destination IP addresses, these IP addresses are not the ones normally used within the remit of the business nor are they one of the known malicious IP addresses
Monitoring setup
■    Firewall
Events Indicators
■    Sudden increase in traffic towards suspicious external IP addresses from single or multiple internal sources

■    Internal or external port scans

■    Unusual file extension observed in the outbound traffic as an attachment

■    Suspicious inbound traffic to specific destinations from external IP addresses

Rules
■    HTTP outbound traffic to multiple destinations from a single source

■    File transfer using non-standard port

■    Non SMTP traffic on TCP Port 25 containing executable

■    Non HTTP traffic on TCP Port 80 containing executable

■    Non DNS traffic on TCP or UDP Port 53 containing executable

■    Internal port scans messages from logs

■    Suspicious inbound traffic to specific destinations

Category: