There are several network related indicators for potential malicious activity. First, we have bandwidth consumption. Bandwidth consumption is based on the amount of data the network is able to transmit. This is usually monitored by a network performance monitor. If you detect high consumption, you will pinpoint the process that is causing it and analyze the cause using wireshark or similar tool. For a microsoft computer for example, you can simply type perfmon -res in the run box and find out what process is causing the high usage. There may be multiple reasons why bandwidth usage may be high from malicious traffic to potentially critical updates in progress. After analyzing, one should come up with processes to troubleshoot and resolve the issue.
Beaconing is a type of command and control communication between your computer and a server. If your computer has been infected, it’ll try to beacon to the command center to say “I’m still infected and is able to be controlled by you”. This usually means your computer has been infected by malware and its part of the botnet network. Botnets are utilized by threat actors for denial of service attacks that require a lot of computing power. Beaconing occurs at random intervals and at random frames, bypassing most anti-virus solutions on the market. One of the most effective ways is to create a baseline using a network monitoring tool and identify anomalies. You’ll be able to see when an anomaly started and identify what has changed (new patches, new software, etc.) since the anomaly has started to narrow down the potential threat list. Some beacons can be tied to software updates and it’s up to security analysts to pinpoint the actual threat.
Most of the time, P2P communications are legitimate, unless unprivileged accounts or privileged accounts connect to regular or other hosts. This may show lateral movements within a network. Another abnormal P2P communications may be logs that show repeated failed logins. These may be caught using security logs.
Rogue devices are another concern for businesses. They are simply an unauthorized node on a network that can simply be prevented with comply to connect, which is a framework to discover, identify, characterize, and report on all devices connecting to the network. It simply scans/sweeps the network and reports on any issues.
HansITAcademy 