Episode Details

Back to Episodes
Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation

Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about: Network Threat Analysis — understanding how common attacks and advanced malware appear in real traffic captures, and how to extract intelligence from them. Part 1 — Analysis of Common Network Threats 1. Network Scanning Techniques Attackers scan networks to discover targets, services, and vulnerabilities. Demonstrations cover several scanning styles: SYN / Half-Open Scan
  • Sends SYN packets without completing the handshake.
  • Target responses reveal open vs. closed ports.
Full Connect Scan
  • Completes the full TCP three-way handshake.
  • More noticeable but highly accurate.
Xmas Tree Scan
  • Uses abnormal TCP flags: FIN + PUSH + URG.
  • Leveraged to probe how systems respond to malformed packets.
Zombie / Idle Scan
  • Uses an unwitting third-party host (“zombie”) to hide attacker identity.
  • Tracks incremental IP ID numbers to infer open ports.
Network Worm Scanning (e.g., WannaCry)
  • Worms scan many IPs for a single vulnerable port, such as SMB 445.
  • High-volume, repetitive traffic is a key signature.
2. Data Exfiltration (Covert Channels) Focus: understanding how attackers hide stolen data inside legitimate-appearing traffic. Covert SMB Channel
  • Data leaked one byte at a time inside SMB packets.
  • Requires:
    • Reviewing thousands of similar packets,
    • Extracting embedded data,
    • Base64 decoding,
    • Reversing the result,
    • Revealing hidden Morse code.
ICMP Abuse
  • Attackers embed data into ICMP type fields, reconstructing files (e.g., a GIF).
  • Difficult to detect because ICMP is normally used for diagnostics, not data transfer.
3. Distributed Denial of Service (DDoS) Attacks Explains why DDoS attacks remain common—cheap cloud resources, insecure IoT devices, accessible botnets. Volumetric SYN Flood
  • Floods a port (like HTTP 80) with incomplete handshakes.
  • Exhausts server connection capacity.
HTTP Flood
  • Sends massive amounts of GET/POST requests.
  • Harder to distinguish from normal traffic.
Amplification / Reflection Attacks
  • Small spoofed request → massive response to victim.
  • Examples:
    • Cargen protocol: 1-byte request → 748-byte response.
    • Memcache: tiny request → multi-megabyte responses from cached data.
4. IoT Device Exploitation Demonstration focuses on how attackers compromise weak devices such as DVRs.
  • Many IoT devices use default credentials and insecure services like Telnet.
  • Attack flow typically involves:
    1. Logging in via Telnet.
    2. Attempting to download malware (e.g., Mirai ELF binary).
    3. When automated delivery (TFTP) fails → manually reconstructing binaries using echo.
    4. Device joins a botnet and starts scanning other victims.
Part 2 — In-Depth Malware Case Studies 1. Remote Access Trojans (RATs)
  • Traffic begins with system information reporting from the infected host.
  • Followed by persistent command-and-control (C2) communication.
2. Fileless Malware
  • Malware runs directly in memory, leaving minimal filesystem artifacts.
  • Often, network traffic is the only complete copy of the payload available.
3. Network Worms
  • Automate scanning and propagation.
  • Look for specific open ports, then exploit and install themselves.
4. Multi-Stage Malware
  • Downloader retrieves multiple malware families.
  • Identifying each
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us