60% of small companies go out of business within six months of falling victim to a data breach or cyber attack. With both the financial security and future of your business on the line, it’s crucial for organizations of all sizes to have measures in place to monitor suspicious network activity.
Friday October 25th, Rachid Belouche has given us a wonderful presentation about this critical topic. Heavy talk and awareness raise about the malware works and what should be done to detect and combat it. Here’s a breakdown of major points we run through :
What Constitutes Suspicious Activity?
Suspicious network activity can refer to a number of different behavior that involve abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions that can indicate an attack or data breach. Being able to recognize these activities is important as it can help pinpoint the source and nature of the breach, allowing you to act quickly to correct the security threat and minimize damage. Most common examples of attack vectors are :
– DNS Tunneling ( Sending sensitive data using DNS protocol in the payload to avoid being detected while transmitting the confidential data )
– Pivoting (unique technique of using an instance to be able to move around inside a network)
– SQLI (use SQL Injection vulnerabilities to bypass application security measures.)
– XSS Reflected (script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.)
– RCE (refers to the process by which an agent can exploit a network vulnerability to run arbitrary code on a targeted machine or system. )
– OS Command (occurs when an attacker attempts to execute system level commands through a vulnerable web application.)
– CSRF (Cross-site request forgery; allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.)
– LFI (Local File Inclusion; occurs when an application uses the path to a file as input.)
There are couple of tools we should be able to use to identify and get rid of red flags : SysLog, SIEM (ELSA, Splunk, Intel Security…)
Checking the 5 tuple information using PCAP analysis helps in identifying the patterns of suspicious behaviour.
Very interacting presentation since we got to experience real-time exemples that helped a lot in understanding the core of the topic and be aware of how securing network environments has become an increasingly important topic. So thank you Rachid for sharing this with us.