A basic Least Frequency of Occurrence (LFO) and anomaly based analytic/defensive layer that enables defenders to better know their network and force adversaries to really blend in by highlighting new, rarely seen, and/or inconsistent outbound protocol use.

Description

Target outbound protocols/datasets which meet the following criteria:

Good candidates for onboarding include but are not limited to SMB, FTP, SSH, RDP, VNC, LDAP, HTTP on non-standard ports, etc.

Highlight unexpected outbound traffic occurring at both early and later stages of attacks:

"We are already seeing malware families such as Redline Stealer, QakBot, and Nanocore be successful despite their use of random and non-standard ports. This prohibits traditional, full internet scanning as it is not feasible to scan all possible non-standard ports across the IPv4 space. While once thought to be easier to detect, the use of high ports seems to still be an adequate C2 communication channel, and we predict that more C2 operators will make use of high ports for their C2 communication." -Recorded Future 2022 Adversary Infrastructure Report

There are many more real-world examples from both less and more advanced threat actors. You should know when this happens.

Pre-release Notes

The Terraform resources provided here allow you to quickly create a self-contained prototype deployment to see and test how this works. It is NOT for production.

This is a pre-release version from a relatively raw prototype - not all functionality/optimizations are available at this time. A few things...

Get Started

See Get Started.

For a manual deployment, review and adjust the Terraform as necessary, considering notes and initial load steps in Component Details.

FloCon 2023 Poster

License

Released under a MIT (SEI)-style license, please see LICENSE or contact permission@sei.cmu.edu for full terms.

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.