Network-related

1.2 Given a scenario, analyze indicators of potentially malicious activity.

📘CompTIA CySA+ (CS0-003)

In cybersecurity, malicious activity often leaves traces in network behavior. Analysts look for unusual patterns in traffic, connections, and devices to detect attacks. These patterns are called indicators of compromise (IOCs). Below, we discuss common network-related IOCs.

1. Bandwidth Consumption

  • What it is: Bandwidth is the amount of data transmitted over the network in a given time. Normal network use has predictable patterns.
  • Indicator of malicious activity:
    • Sudden high bandwidth usage can indicate data exfiltration, where attackers steal data from your network.
    • A DDoS attack (Distributed Denial of Service) can flood your network with traffic, consuming bandwidth and slowing down services.
  • How to detect:
    • Monitor network traffic using tools like Wireshark, NetFlow, or SIEM systems.
    • Compare current usage to historical baseline patterns.

2. Beaconing

  • What it is: Beaconing is when a device regularly contacts a remote server at set intervals.
  • Indicator of malicious activity:
    • Malware often phones home to a command-and-control (C2) server.
    • Regular, automated connections from internal devices to external IPs can signal infected machines.
  • How to detect:
    • Look for repeated outbound connections to the same IP on unusual ports.
    • Use network monitoring tools to identify patterns that match scheduled, automated traffic.

3. Irregular Peer-to-Peer (P2P) Communication

  • What it is: P2P communication is when devices exchange data directly without going through a central server.
  • Indicator of malicious activity:
    • Normal business networks rarely use P2P. Unexpected P2P traffic may indicate:
      • Malware spreading internally
      • Unauthorized file sharing
  • How to detect:
    • Monitor traffic flows to see if internal devices communicate in ways they shouldn’t.
    • Use firewalls or intrusion detection systems (IDS) to flag unusual P2P protocols.

4. Rogue Devices on the Network

  • What it is: Any device connected to the network that isn’t authorized.
  • Indicator of malicious activity:
    • Unauthorized laptops, phones, or IoT devices can be used by attackers to:
      • Sniff network traffic
      • Access sensitive systems
      • Install malware
  • How to detect:
    • Maintain an inventory of authorized devices.
    • Use network access control (NAC) to detect and block unknown devices.
    • Monitor ARP tables or DHCP logs for unexpected IP addresses or MAC addresses.

5. Scans/Sweeps

  • What it is: Attackers often scan networks to find vulnerable systems.
  • Indicator of malicious activity:
    • A port scan checks which ports are open on a system.
    • A network sweep looks for active hosts.
  • How to detect:
    • IDS/IPS systems can detect port scanning behavior.
    • Look for repeated connection attempts across multiple IP addresses or ports in logs.

6. Unusual Traffic Spikes

  • What it is: Traffic spikes are sudden increases in data sent or received by a device or network.
  • Indicator of malicious activity:
    • Could indicate DDoS attacks, data exfiltration, or worm activity spreading across the network.
    • Spikes outside normal working hours are especially suspicious.
  • How to detect:
    • Compare traffic against baseline metrics.
    • SIEM dashboards can alert analysts when traffic exceeds normal thresholds.

7. Activity on Unexpected Ports

  • What it is: Ports are logical pathways used by applications to send and receive data.
  • Indicator of malicious activity:
    • Malware or attackers may use non-standard ports to bypass firewalls or security monitoring.
    • For example, a web application normally uses port 80 (HTTP) or 443 (HTTPS). If traffic suddenly appears on port 8080 or 5555, it may be suspicious.
  • How to detect:
    • Monitor firewall and IDS/IPS logs for unusual port usage.
    • Maintain a whitelist of allowed ports and protocols for your network.

Key Takeaways for the Exam

  • Pattern recognition is crucial: Compare network activity against baseline patterns to spot anomalies.
  • Tools are your friends: SIEM, IDS/IPS, network traffic analyzers, and NAC can help detect malicious activity.
  • No single indicator proves compromise: Often, a combination of IOCs is used to confirm malicious activity.

Exam Tip:
When a question describes network behavior (like sudden traffic spikes or unusual connections to external IPs), think: “Which indicator of compromise does this match?” and match it to the list above. Many CySA+ questions test your ability to recognize these IOCs in scenario-based questions.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by