Adversary activity Identification behavioral involves the activity identification of common ways or techniques followed by an soul to launch attacks to penetrate an organization’s network.
Activity Identification offers an insight to the protection analysts on coming threats and exploits .It helps them in coming up with the network security infrastructure and adapting numerous security procedures as hindrance against varied cyber-attacks.
Given below area unit a number of the behaviors of an soul, which may be accustomed enhance the detection capabilities of security devices:
Internal reconnaissance mission
Once the soul is within the target network, he/she follows numerous techniques and ways to hold out internal reconnaissance mission. It includes an enumeration of systems, hosts, processes; execution of varied commands to seek out native user context and system configuration, host name, science addresses, active remote systems, and programs running on the target systems; etc. Security analysts will monitor the activities of an soul by checking for the weird commands dead within the Batch scripts and Power Shell and by using packet capturing tools.
Use of Power Shell
Power Shell may be utilized by an soul .as a tool for automating knowledge ex-filtration and launching any attacks. to spot the misuse of Power Shell within the network, security analysts will check the transcript logs of Power Shell or Windows Event logs. The user string and science addresses may be accustomed determine the malicious hosts WHO attempt to ex-filtration the information.
Unspecified Proxy Activities
An someone will produce and assemble multiple domains inform to a similar host, thus, permitting an opponent to change quickly between the domains to avoid detection. Security analysts will realize unspecified domains by checking knowledge feeds that are generated by those domains. Victimization this information feed, the protection analysts can even verify the malicious files downloaded and also the unsought communication with the surface network supported the domains.
Use of Command- line Interface
Once gaining access to the target system, an opposer will create use of a command-line interface to move with the target system, browse the files, browse file content, modify file content, produce new accounts, connect with the remote system, and transfer and install malicious code. Security analysts will determine the behavior of an opposer by checking the logs for method ID, processes having arbitrary letters and numbers, and malicious files downloaded from the web.
HTIP User Agent
In the HTIP-based communication, the server identifies the connected HTIP consumer exploitation the user agent field. opposer modifies the content of HTIP user agent field to speak with the compromise d system and to hold more attacks. Therefore, the safety analyst will establish the attack at an initial stage by checking the content of user agent field.
Command and management Server
Adversaries use command associate degrees management servers to speak remotely with the compromised systems through an encrypted session. Mistreatment this encrypted channel, the opposer will steal information, delete information, and launch more attacks. Security analysts will observe compromised hosts or network by distinguishing the presence of command and management server by trailing network traffic for outgoing affiliation tries, unwanted open ports, etc.
Use of DNS Tunneling
Adversaries use DNS tunneling to modify the malicious traffic within the legitimate traffic carried by common protocols utilized in the network that will not cause any alert. exploitation DNS tunneling, an opponent can even communicate with command and management server, bypass security controls and perform information ex-filtration. Security analysts will establish DNS tunneling by analyzing malicious DNS requests, DNS payload, such-and-such domains, and destination of DNS requests.
Analyzing server access, error logs, suspicious strings indicating encryption, user agent strings_, etc.
After a successful penetration into a target’s network, the antagonist uses information staging techniques to gather and mix the maximum amount information as potential. kind of knowledge collected by an oppose includes sensitive information regarding the staff and customers, business ways of a company, money data, and network infrastructure data. Once collected, the human will either exfoliate or destroy the info. Security analysts will observe information staging by watching network traffic for malicious file transfers, file integrity observation, and event logs.