(Nowadays, this part heavily relies on HIDS and EDR tools, below are some ideas to look at)
Enumeration Activity
Analyzing PCAP
- Preprocessing the TCP logs
- Traffic pattern analysis
- Examine the network flag
- Identify the IP associated with the enumeration activity
- Examine the port access by the IP
(tcp.flags.syn==1) || (tcp.flags.ack==1 && tcp.flags.reset==1)
(tcp.flags.syn==1)&&(tcp.flags.ack==1)
Exploitation Activity
- Require researching of specific types of attack
- e.g. Log4J, in this case, requires monitoring HTTP request patterns
Exfiltration Activity
Characteristics
- Relatively more frequent file upload traffic
- Typically attackers take a bind and reverse shell (forward and reverse)
Analylzing #1
- Prepsocessing the TCP log
- Traffic pattern analysis
- Examine the port access by the IP
- Identify IP associated with the acctivity
- Examine the command executions
Analyzing #2(bind shell)
- Examine PCAP traffic
- Check usage of ports commonly used for shell activities (e.g. 4444, 5555, or ports that not being used but suddently come up), use tool to monitor uncommon port usage
- Connection establishment [SYN][SYN,ACK] between suspicious IPes.
- Frequent [PSH,ACK] activity implies data transferring; check the content and look for commands (usually multiple command execution)
DOS/DDoS Activity
- Use vendors services. e.g. Cloudflare, Akamai, Link1, A10, Check Point.
Defending Network-based Attack
- Firewall (filtering for URL, IP, ports and application layer)
- WAF
Tools
---