Professional Documents
Culture Documents
•
•
•
•
•
•
2 4 5 5 Asset/Data Discovery
• Identify the noteworthy servers and the
File Databas services that house the data of interest.
Store e
Point Lateral Data of 6 Data Exfiltration
of Entry Movement Interest • Data is funneled to an internal staging server
• Data is chucked, compressed and encrypted
• Data is communicated externally
Point of Entry
Command & Control
Proxy/MTA Data Exfiltration
East West
Lateral Movement
DDI Data and Asset Discovery
Network Traffic Copy
Tap
y Tra
op ffi c
Cop
cC
ffi y
South
T ra
Switch Switch
User PC File/Application User PC
SPAN port SPAN port
Server
Rules
Event Classification
Engine (LogX) Network Content
Inspection Engine
Downloader
Sandboxed
0 times
2 times
0 times
Trojan Ransomware
0 times
0 times
Spyware Backdoor
1 time
Exploiter
81 times
VS
Investigation Order 5 3 4 2 1
1 Intelligence Gathering
4
Lateral Movement
It is in© general
2020 Trend Microsafe
Inc to start investigation from the Command and Control detections,
But check first if there are any Data Exfiltration detections!
Data Exfiltration
The last stage of the attack you want to see, but if that happens it is
good to see it ASAP!
Detects data exfil over many protocols, e.g. TCP, ICMP, UDP, HTTP,
DNS, FTP, etc.
Actions:
• Check if data exfil rules are enabled under:
Administration -> Monitoring / Scanning -> Detection Rules
• Some Important Rule ID: 611, 1861, 1885, 1886, 2563 – 2567, 2584,
4233
•© 2020Optionally
Trend Micro Inc Enable packet capture
Data Exfiltration
• Exploits
• Malware – backdoors, data stealers, ransomware, etc.
• Normal admin tools – netcat, psexec, tiny web servers, etc.
For example:
1. Find hosts which have C&C detections
2. And also have point of entry
3. And payload was malicious
4. And had sandbox detections