Most modern malware operates as part of a system. Whether it's a multi-part kill chain with droppers and payloads, a botnet with command and control servers, or ransomware encrypting files, the malware on the compromised system talks to other systems over the internet.
At some point the bad guy or malware must initiate an outbound connection to exfiltrate data but likely much earlier just to beacon itself and communicate with command and control servers.
If you have been compromised, and didn't catch malware on the way in, you can often find it by monitoring outbound network connections.
In this webinar I discuss the Top 8 Things to Analyze in Outbound connections from your network to the Internet:
- Reputation of destination IPs and domains
- DNS queries from clients on your network
- Suspect traffic patterns
- Unrecognized protocols
- Masquerading protocols
- Known signatures
- Prohibited protocols
- DLP indicators
For as many of these as possible I will show you actual examples with packet capture and analysis. Obviously you could manually analyze all this data, but we'll talk about automation because it's easier to find a needle in a haystack with a metal detector and conveyer belt than with a pair of tweezers.
We'll also dive into what options are available for monitoring outbound connections? How much of this can you accomplish from, say, a syslog feed from your firewall? And do you have enough visibility into all your outbound connections to catch intrusions?
For packet analysis I'll be using LogRhythm's Network Monitor Freemium and Rob McGovern will briefly show how Network Monitor works.
Don't miss this real training for free event ™. Please register now.