In the complex environment of cybersecurity, proactive threat hunting is one of the best solution to staying one step ahead of potential security risks. Let’s explore a practical threat-hunting use case focusing on Hunting with Outbound Traffic.
Objective: Baseline outbound network traffic using perimeter devices logs to identify anomalies and pinpoint potential malicious or suspicious network activities.
Log Source & Requirements: Firewall / IDS / IPS / UTM’s logs from Application/Protocol-aware Firewalls, Packet Analysis
Duration: 7 to 180 Days.
Related MITRE Techniques: T1048, T1030, T1071, T1571, and T1572.
What to Hunt For:
Baseline outbound network traffic by network segments and device types (workstation/servers): Gain understanding into normal network traffic patterns based on specific segments and device types, facilitating quick anomaly detection.
Correlate firewall policy rule names with the actions taken: Identify gaps in network security controls by investigating policy rules, and differentiate between allowed and blocked network traffic.
Threat Analysis: What to hunt For:
Identify anomalous and potentially malicious ports and application protocols: Conduct persistance and rarity analysis on ports and application protocols from a few source IPs to detect potential malicious patterns.
Review outbound network traffic for ports and protocols specific to certain devices: Investigate irregular or out of the blue devices associated with ports and protocols that should only come from specific devices (e.g. DNS servers over port 53).
Hunt for traffic where the port does not match the index protocol: Reveal potential security risks by identifying variance such as SSH over port 8443, indicating attempts to bypass network filtering.
Observe network traffic to countries not part of the organization’s business operations: Analyze anomalies by identifying outbound traffic to countries rare or unusual to the organization’s business, especially those common in cybercrime activities.
Identify outbound network traffic with a high upload ratio, prolonged sessions, or repeated fixed data sessions: hunt for potential data exfiltration attempts by monitoring traffic patterns with abnormal upload ratios, extended sessions, or fixed data increments.
Hunt for clients generating abnormal levels of blocked or denied newrok traffic: inspect devices generating excessive blocked or denied traffic, revealing potential security policy violations.
Correlate network traffic data with threat intelligence lists: Enhance threat hunting by cross-referencing network traffic data with threat intelligence lists and identifying hits on known bad IPs.
