CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Network Based IoCs

  • Network DoS: exhaust bandwidth/connection resources on a server

    • Bandwidth consumption, spikes in traffic

    • Detected using monitoring and alerting

    • Having a baseline is useful

  • DDoS: Distributed Denial of Service and botnets

  • DRDoS (Distributed Reflection DoS)

    • Spoof the source of the request

    • Reply goes to the victim

    • Request is smaller than the reply

    • HTTP, DNS, NTP

  • “Slashdotting”

    • Post a link and drive traffic to a website

  • Beaconing IoCs

    • C2 – Command and control

    • Beaconing looks for regular network traffic to a C2 server.

    • Regular, like a heartbeat

    • Small footprint

    • Changing IPs and Domains

    • Protocols: IRC, HTTP(S), DNS,

    • DNScat can create a C2 tunnel through DNS

    • Social media

    • Cloud services

    • Media files and documents

  • Peer to Peer P2P Communication IoCs

    • Mostly “unwanted” traffic anyway.

    • Hidden in SMB or IPP (internet printing protocol)

    • ARP is peer to peer

    • ARP flooding is usually spoofing

  • Rogue Devices IoCs

    • A rogue device is unaccount for. Unwanted

    • Detection: Human eyes, network mapping, wireless monitoring, traffic sniffing, NAC and intrusion detection, IP address management

  • Scans and Sweeps Events

    • A scan happening without your knowledge is not good news

    • Sweeping

    • Fingerprinting

    • Detected by IDS/IPS due to known patterns

  • Non standard Port Usage IoCs

    • Well known ports: 0-1023 TCP/UDP

    • Registered ports: 1024-49151 TCP/UDP

    • Dynamic and Private range: 49152-65535 TCP/UDP

    • Assigned by IANA

    • Frequent usage of the same dynamic port in a network traffic requires investigation

    • Mismatched port/application IoC

    • Netcat, cryptcat, socat, pupy

  • Data Exfiltration IoCs

    • Stealing data

    • HTTP(S) channel with public storage services

    • Web app attacks (SQLi and such)

    • DNS as a channel

    • IM, P2P, email, FTP

    • Encrypted tunnels (IPsec, SSL)

  • Covert Channels IoCs

    • Over vs covert

    • Outbound traffic is seldom filtered

      • Encoding data in protocol headers

      • Fragmentation

      • Encryption

      • Steganography

        • Open Stego

        • Snow Powershell – Hide data in the whitespace in files

      • Storage and timing channels

PreviousPrivilege Escalation & Man-in-the-MiddleNextHost Based IoCs

Last updated 2 years ago