Network Threats

Most malware performs command-and-control operations over the network

Threat hunters search trough network traffic for potentially malicious content

A list of listening ports on the network is extremely valuable for threat hunting (SMTP, HTTP, FTP and proxy servers)

External monitoring servers may also be set up to aid in traffic monitoring

Concepts

Understanding fundamental networking concepts is an essential skill for a threat hunter

Malware frequently abuses common protocols to communicate with their controlling servers

Important concepts include:

• The networking stack (TCP, UDP, ICMP and IP)

• Common protocols (DNS, HTTP, etc)

• How common protocols should (and shouldn't) be used

Understanding what's "normal" helps with identifying important anomalies

Devices and communications

When threat hunting, no device on the network should be ignored

Attackers may move laterally within the network to search for additional data, cover their tracks or achieve persistence

A complete network diagram detailing devices on the network and their expected operations (webserver, email server, workstation, etc) is huge asset to a threat hunter

• This information helps differentiate a malicious anomaly from the noise

Session recording

Recording data at the session or flow level can be valuable for statistical and trends analysis

Windows

• TDIMon

Linux/Unix

• Argus

Packet capture

Hunters may use various tools for capturing data packets for in-depth analysis of traffic

Windows

• Windump

• Wireshark/Ethereal

Linux/Unix

• tcpdump

• Wireshark/Ethereal

Network state monitoring

Network state monitoring tools allow hunters to easily view active TCP/UDP endpoints and their connection statuses

Windows

• tcpvcon

• Netstat

• Fport

Linux/Unix

• lsof

• Netstat