Book Image

Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

By : Dale Meredith
Book Image

Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

By: Dale Meredith

Overview of this book

With cyber threats continually evolving, understanding the trends and using the tools deployed by attackers to determine vulnerabilities in your system can help secure your applications, networks, and devices. To outmatch attacks, developing an attacker's mindset is a necessary skill, which you can hone with the help of this cybersecurity book. This study guide takes a step-by-step approach to helping you cover all the exam objectives using plenty of examples and hands-on activities. You'll start by gaining insights into the different elements of InfoSec and a thorough understanding of ethical hacking terms and concepts. You'll then learn about various vectors, including network-based vectors, software-based vectors, mobile devices, wireless networks, and IoT devices. The book also explores attacks on emerging technologies such as the cloud, IoT, web apps, and servers and examines prominent tools and techniques used by hackers. Finally, you'll be ready to take mock tests, which will help you test your understanding of all the topics covered in the book. By the end of this book, you'll have obtained the information necessary to take the 312-50 exam and become a CEH v11 certified ethical hacker.
Table of Contents (23 chapters)
1
Section 1: Where Every Hacker Starts
10
Section 2: A Plethora of Attack Vectors
15
Section 3: Cloud, Apps, and IoT Attacks
20
Chapter 17: CEH Exam Practice Questions

What is information security?

For a proper foundation in information security, this section covers the following topics:

  • Information security – a general overview
  • The Confidentiality, Integrity, and Availability (CIA) triad
  • Types of cyberattacks
  • The hacking phases
  • The types of hackers

You'll be able to broadly define information security, as well as understanding the CIA triad, knowing various types of cyberattacks and the stages of hacking, understanding the types of attackers and their motivations, and knowing the steps of the Cyber Kill Chain (CKC) methodology.

An overview of information security

Information security is the process of securing data and information systems that process, store, and transmit data against illegal access. Organizations must protect their information, as it is a key asset.

Behind most breaches, attackers have motivations and objectives. A motive arises from the belief that a target has something important. The goal of the attack could be to interrupt the target organization's day-to-day activities, or to steal important information for fun, or even payback. As a result, the attacker's goals are determined by their emotional state. Once the hacker/attacker has defined their objective, they might use a variety of tools, strategies, and methodologies to take advantage of flaws in a system.

Information security is part of information risk management. It refers to the processes and measures designed to protect and maintain the confidentiality, integrity, and availability of information. This goal of information security is commonly known as the CIA triad; these three components guard against cyberattacks that lead to unauthorized or unlawful access, use, sharing, modification, scanning, stealing, and/or destruction of information.

The CIA triad

The CIA triad is a security model that informs the policies and efforts an organization puts in place to secure its data from unauthorized access. Let's look at its components in detail.

Confidentiality

Confidentiality is guarding against theft or unauthorized or unintentional access of data. The first step toward achieving this is authenticity, which is the verification process that requires the user to prove their identity or their claim to the rightful ownership of an account before access is allowed. Big companies whose databases attackers have compromised are increasingly hitting the headlines. Attackers target them for highly prized customer information. Attackers also go after governments for military, political, criminal, and other similar reasons.

An example of the damage a breach of confidentiality can cause happened in Utah. A hospital backed up their records and sent them through a courier service. The driver changed his mind along the way and headed home for the weekend, instead of dropping the tapes off at the Granite Mountain Records Vault (a vault system that is dug out of a granite mountain in Utah). Someone with itchy fingers saw the well-wrapped package and broke into the car. In an instant, the aluminum metal case bearing patients' vital medical records and confidential information was gone.

The hospital ended up spending thousands of dollars seeking identity protection services for patients whose personal and vital information landed in the wrong hands. Besides this kind of loss of data, there's the risk of data modification without authorization and accountability, which is known as non-repudiation. If John Doe modifies a document under a secure system, there needs to be a way to tell whether or when that happened.

Integrity

After you have proved your authenticity, you expect to find your data safe, not altered. You want to be sure you can trust the source and the keeper of this data. For example, when trying to access your bank account, you want to be certain you are accessing your account on your bank's app or site and that the data you will find on there is valid and protected.

Availability

People have a right to access their data whenever they want, but sometimes attackers stand in the way of this by launching a Denial-of-Service (DoS) attack. DoS refuses users access to accounts or resources. How does this benefit attackers? This is a common malicious attack against businesses. It stops users from transacting or accessing a service or resource. This denial of availability costs companies millions of dollars and, sometimes, users.

Types of cyberattacks

Cyberattacks happen when attackers – people with different goals and motivations – spot and take advantage of vulnerabilities in a system. They do this to gain access to a network or to get valuable or confidential data without authorization.

Attackers violate systems or processes to disrupt operations, steal crucial or confidential information, or seek retribution. They can cause chaos within an organization, instill fear, create financial losses, and ruin the reputation of an organization or business by publicizing their political stands, propaganda, religious beliefs, and so on, using the target's mediums of communication.

Cyberattacks fall under different categories. These include the following:

  • Passive attacks
  • Active attacks
  • Close-in attacks
  • Insider attacks
  • Distribution attacks
  • Phishing attacks

Let's look at these in detail.

Passive attacks

A passive attack is also known as a sniffing attack or an eavesdropping attack. Attackers monitor traffic and then intercept data before it reaches recipients.

Active attacks

Unlike passive attacks, active attacks are disruptive. Active attackers are usually out to exploit a vulnerability and cause harm. Most systems detect them. An active attacker will try to disrupt the communication or services between systems, throw things into disarray or cause hiccups within the network's security, and attempt to gain access. Some tricks include a DoS attack, a man-in-the-middle attack, session hijacking, and SQL injection.

Close-in attacks

In close-in attacks, the attacker is usually physically close to the target or the network. Their motive is to gather, change, or disrupt flowing information. Examples of close-in attacks are eavesdropping, shoulder surfing, and dumpster diving. Social engineering also falls under this category. An attacker deceives the target into sharing personal or confidential information and then uses it fraudulently.

Insider attacks

As the name suggests, insider attacks come from the inside. Attackers use their privilege and access to violate policies from within to compromise information systems. They do this by stealing physical devices, planting malware, backdoors, or keyloggers.

Distribution attacks

In these attacks, the attacker will either tamper with or modify hardware or software before installation. The attack begins soon after installation. To accomplish this, an attacker tampers with the hardware or software at its source or during transmission. A perfect example of a distribution attack is SolarWinds' attack in 2020. After accessing and adding malicious code to SolarWinds' software systems, attackers produced and sent Trojanized updates to the software program users. Victims of this attack included 425 Fortune 100 and 500 companies, including titans such as Cisco, Intel, and Microsoft, leading telecommunication companies, top US government agencies – including the Department of State, the Department of Homeland Security, and the Department of Energy – and reputable learning institutions.

Phishing attack

A phishing attack is also a popular form of cyberattacking. Cyberattackers use a trick, where they create a fake website that looks exactly like the original one. Once the cyberattackers are done with the development of the fake website, they send an email to the customers with the link to the fake website. When the customers try to log in using the username and password, the cyberattackers record it, and they use the same information on the real website to access the customer's account.

The technology triangle

The technology triangle, like the Bermuda Triangle, is mysterious, just not as big. It is a pain in the neck for everyone involved with technology – hardware developers, the coffee-loving IT person, and that software developer who sits in the corner looking at their screen all day.

Figure 1.1 – The technology triangle

Figure 1.1 – The technology triangle

One concept that makes their heads hurt is usability (the GUI environment) versus functionality (the features) versus security (the restrictions), as seen in Figure 1.1.

Usually, the dilemma is striking a good balance between these. It's hard because sometimes moving from usability means losing security and functionality, while inclining toward security makes you lose functionality and usability.

Finding this balance is tricky, and that's why some operating systems lean more toward one area. An example is the Windows 2000 server when the internet was brand new and everybody wanted a piece of it. Trying to be nice, Microsoft set up servers for their users and whenever a user deployed the operating system, it would automatically install the Internet Information Services (IIS), which is a web server environment. This web server environment had every feature turned on and had more holes than Swiss cheese. While it was helpful to users who were not tech-savvy, Microsoft compromised on security.

Microsoft then introduced Windows Vista with the annoying UAC popup that's always asking whether you are sure you want to do something. Do you want to allow this app to make changes to your device? Do you want to allow this app from an unknown publisher to make changes to your device?

Typing in a username and password irks most users, so, while Microsoft moved a bit toward security, they lost usability and functionality.

Microsoft is a perfect example of this dilemma. Their user-friendly interface has in many situations actually created vulnerabilities for their platform. Reports show a 181% increase in the number of reported vulnerabilities between 2016 and 2020.

Most people are always wondering why they have to jump through IT hoops to use software or hardware. They want a plug-and-play IT world where all they need to do is head to the local technical store, grab what they need, plug it in, push a few buttons, and voilà! It's ready. Some companies understand this need and strive to make their products as easy to use as possible. While it is easy to achieve usability, most easy-to-use hardware and software is vulnerable to attacks.

Types of hackers

Hacking is gaining unauthorized access to information or data in a computer or system, or configuring a different mechanism that makes a device or the target of the hack operate differently to how it was intended.

There are different types of hackers and they are differentiated by the activities they carry out and their motives.

Black-hat hackers

A black-hat hacker carries out the type of attacks where they don't have permission or authorization to be on the target network or to be doing what they're doing. They're lawbreakers.

White-hat hackers

Unlike black-hat hackers, white-hat hackers are authorized to be on a system and to be doing what they are doing. They are the good guys. They don't use or misuse the information they have access to as professional security – they only share exploits about the bad guys with the white-hat community for the good of everyone.

Important Note

The hat color terms come from Hollywood. Back in the early days of film, the bad guy was identifiable from the black hat that he wore, while the hero would wear a white hat. This actually continues today in film, as I'm sure we've all seen a villain dressed in black while the hero is dressed in white (you know, a long time ago in a galaxy far, far away…).

Gray-hat hackers

Gray-hat hackers are reformed black-hat hackers. However, it's still hard to trust them because they can always relapse in a moment of weakness. They can be white-hat today, but if they get a deal that's too good to turn down, their ethical hacking principles may go out the window and they will name their price.

Suicide hackers

As the name suggests, a suicide hacker is carefree. They don't bother to cover their tracks after an attack. Their mission is the only thing that matters.

Script kiddies

Script kiddies are as clueless as they come. They are ambitious but lack real training and experience. They rely on YouTube videos and other free online resources and tools to hack and perform unauthorized activities. Most script kiddies work inside our network infrastructures.

Spy hackers, cyberterrorists, and state-sponsored hackers

These are high-profile, malicious hackers. They do the dirty work for governments, government agencies, organized groups, and big corporations fighting for the lion's share in the market. They are mostly driven by religious beliefs, political affiliation or agenda, business opportunity, and so on. Like suicide hackers, they stop at nothing. They focus on executing their mission; everything else, including repercussions, is secondary.

The difference between a spy hacker and a state-sponsored hacker is that a spy hacker gets their paycheck from a rival business to steal intellectual property, while the state-sponsored hacker gets paid by a government or government agency. State-sponsored hacking makes it possible for states to get hold of secrets from other countries, military organizations, and multinational companies or organizations.

Hacktivist

A hacktivist is an attacker who gains unauthorized access to a network or files to further economic ideologies or political or social agenda.

Hacktivists' motivations vary, from vandalism to protest, humiliating and/or calling out an individual, a group, a company, or a government. Their attacks often include defacing or disabling their target's website.

Other major targets of hacktivism are big corporations, such as Apple and Microsoft, and the big pharmaceutical industry. Tons of vegan animal rights activists and eco-activists also use hackers to push their beliefs or to go after certain companies.

Hacking phases

What comes to your mind when someone talks about the most secure system? Most people think of Linux and other operating systems. But attackers can attack or hack these technologies because they all have loopholes and vulnerabilities.

A friend (I cannot confirm whether I was involved with this or not) who was involved with a penetration test at a bank showed up at the branch with a new blade server and announced that he was running late, and needed to install a new server to make things work faster.

He feigned it was very heavy to make them hurry up. To his surprise, they did and let him in the server room unaccompanied. He rummaged through a shelf of tape backups and put some in his bag. He also grabbed a couple of hard drives that had important data and then deployed the server through a backdoor.

As a security professional, you need to anticipate any form of attack and avert it. If there is no digital hack, look out for a physical one or a social engineering hack. Your job is to discourage, deter, misdirect, and slow attackers in every way possible.

Hackers have time on their hands and are always looking for any opportunity or vulnerability to gain access to your system or information.

Having a good grasp on how hackers think helps security professionals look in the right places. This is especially important because attackers don't carry out their mission in one go. It's a process with phases. With each step or phase, the attacker inches closer to the target's environment. Let's look at each of these phases a little closer.

Reconnaissance/footprinting

This is the first phase of hacking. It involves looking at a target and trying to figure out who they are and what they have to offer. It is the most time-consuming phase for attackers, but it comes with a big payoff. The attacker gathers as much information about your company as possible and then prepares the attack based on it.

There are two ways to do this:

  • Passive reconnaissance
  • Active reconnaissance

Passive reconnaissance

There is no direct interaction with the target in a passive reconnaissance, so the target does not know that an attacker is looking at them. Passive reconnaissance also involves researching a target on common and public platforms.

In a passive hack, the attacker goes through the company's web page like a typical visitor, except that he or she is there to gather information. For example, a hacker can head to a company's website to look at job openings. It's neither wrong nor illegal.

Social engineering is another passive reconnaissance technique. Usually, it exploits human psychology to gain access to systems, locations, data, and information. Attackers use social engineering to manipulate people to share personal or critical information about themselves that is useful in advancing the attack.

Marketers are masters of social engineering. They will set a table at your local grocery store or mall and offer you free samples – small tasty pieces of beef or a mouthwatering bite-sized burrito. You will not know what hit you – even if you don't buy whatever they are promoting, you will listen to what they have to say about their products, and that could be the whole point of their being at the store.

Attackers use the same technique to harvest information.

Active reconnaissance

In an active reconnaissance, the attacker has direct interaction with the target. The attacker will engage with the target's system, scan the network from an internal or external perspective, and also conduct a port scan, seeking open ports.

An example of an active reconnaissance technique is when an attacker pings the target's server. That's touching the target's server, right? It's a bold move. Attackers use active reconnaissance when they discover or have every reason to believe it is unlikely that their activities will be noticed.

Dumpster diving

Old credit cards, water bills, receipts, lost IDs, companies' internal memos, forms, financial statements, lists, and so on carry valuable information that can be used by attackers. Like detectives, attackers search through trashcans, dustbins, and the like, looking for items that will help them complete target profiles.

A classic example of dumpster diving happened in the '90s, when the Department of Justice was investigating Microsoft for their practices. The Oracle Corporation hired a detective agency that went dumpster diving on the Microsoft campus and came up with information that pointed to Microsoft having some under-the-table deals.

The New York Times reported, "The Oracle Corporation acknowledged today that it had hired a prominent Washington detective firm to investigate groups sympathetic to its archrival, the Microsoft Corporation, an effort that yielded documents embarrassing to Microsoft in the midst of its antitrust battle with the government."

Scanning

Scanning is the phase where an attacker tries to gather as much information as they can. They do this using active techniques such as ping sweeps and passive techniques such as passive scanning. An attacker sniffs the traffic and identifies the target's machines and operating systems, looking for a way in, or what we call an attack vector or attack surface.

Gaining access

An attacker can also map out systems, other hardware devices, attempt to detect where a target's firewalls are, where the routers are, find out whether they can discover the IP address scheme, and so on. It tells them which targets to stay clear of and the targets they need not waste time on. Security professionals counter these attacks by gaining as much knowledge as possible about the latest attack tools and the system vulnerabilities that attackers have figured out a new way to exploit.

The next thing you'll want to do is shield your system from tools such as a port scanner that looks for ports that may be opened up by services. To protect your system, ensure that services are not running on machines that they shouldn't be running on. Properly audit the systems.

Another useful tool is a vulnerability scanner, which attackers also use – except, of course, they use the pirated versions. This tool will tell you, "Man, your default machines don't have the latest service pack installed for Windows 7 or Windows 8.1!". The thing with scanning is, if you're not scanning for vulnerabilities, somebody else who shouldn't be doing it will do it in an attempt to get into your network.

Maintaining access

After making their way in, attackers want to maintain access. An attacker can decide to pull the system out and use it as a launch pad for what they want to do with it. They can use the system to carry out attacks, and finish scanning out or footprinting the target's environment to install Wireshark to sniff the network and send results back to their location. They can also decide to install a Trojan that steals usernames and passwords, or scans for documents with certain number sequences.

Experienced attackers wind up hardening the target's machine. If they pwn (take control of) your machine completely, they want to make sure they maintain total control of it. They inject their own backdoors or Trojans, effectively clearing the vulnerabilities they exploited. It might stop other attackers but not them, because they will use a different mechanism next time.

The Term pwned

No, we did not misspell this word. It is slang spelling of the word "owned." It came from the game Warcraft, where a programmer misspelled "owned" within the game text. If you beat another player, the message was supposed to say, "Dale has been owned," but instead we were given, "Dale has been pwned." It means that you've been dominated by another player or, in the world of hacking, I have total control of your system.

To stop this, install a honeypot or a honeynet (fake systems and fake networks). It will attract attackers, but they will only end up wasting their time and energy on the fake target. You will have distracted or slowed them down.

Clearing tracks

This is the fifth and the last stage of an attack. After getting into the system, getting or doing what they wanted, the next smart move is covering their tracks – leaving the place as neat and clean as they found it, or better.

Most attackers get rid of their own entries in the log files to ensure you don't suspect they were there, because they know if the first entry in a log file was deleted, the target or security professional will want to know who deleted the file.

After that, they install a rootkit to hide their tools. Alternatively, they use steganography and hide their secret data inside the target's MP3s, or even images, to avoid detection in the white space (the unused bits in a TCP header).

This is known as a cyber blind, as an analogy to a duck blind, which is used by hunters to hide where ducks frequent, waiting to lay an ambush.

The purpose/goal of cyberattacks

So, where do these cyberattackers come from? Generally, people call them hackers or cybercriminals, but we are going to call them attackers. There is a huge difference between a hacker and an attacker. Let me explain: if we talk about a hacker, it is simply someone who exploits a target to work outside its intended purpose. A great example of this is back when I purchased my first Xbox; I modified it so that I could put a bigger hard drive inside and store all my games on it. I never needed to grab a DVD! Or how about rooting your Android device? Typically, these actions are not illegal but rather modifying systems/targets to do something different.

On the other hand, an attacker is someone who has a different motive/goal/objective to gain unauthorized access to a target. Normally, they use the same techniques, but they are looking for different outcomes (mostly illegal ones). Attackers can be internal or external to an organization and a threat to known or unknown vulnerabilities in an IT infrastructure.

We can summarize their goals by highlighting most of the objectives that attackers have:

  • To disrupt an organization or the operations of a business
  • To grab/steal information that is either important or private
  • To take an act of revenge after losing out to an organization
  • To create a financial issue
  • To hurt the reputation of an organization

The Cyber Kill Chain – understanding attackers and their methods

The Cyber Kill Chain (CKC) are steps that trace stages of an attack, right from reconnaissance through to exfiltration of data. There are several models for describing the general process of an attack on system security. This model was first developed by Lockheed Martin.

Phases of the CKC

Here are the phases of the CKC.

Reconnaissance

In the reconnaissance phase, attackers gather general knowledge about the system or network. It can be a passive or active attack.

Weaponization

The attacker is going to couple the payload code – which is going to enable access remotely – with exploit code that will exploit the software and/or the security flaw.

Delivery

Here, the attacker identifies a vector to transmit the weaponized code to the target environment. They can use a website, an email attachment, or a USB drive.

Exploitation

This step is the weaponization of the code. The malware gets triggered when the target clicks on the link in the malicious email or runs the code off of a USB drive they found lying in the parking lot.

Installation

This mechanism, also known as the backdoor, enables the weaponized code (malware) to run a remote access tool for the intruder and to achieve persistence on the target system.

Command and Control (CNC)

This is when the weaponized code gives the attacker access to the target's network or system. The weaponized code establishes an outbound channel to a remote server that can be used to control the remote access tool and possibly download more tools to expand the attack.

Actions and objectives

In this phase, the intruder uses the access they've achieved to collect information from the target system and begins to transfer it through the remote system. The intention could be data exfiltration, encryption for ransom, data destruction, and so on.

Tactics, techniques, and procedures

The term Tactics, Techniques, and Procedures (TTPs) relates to the activity and method patterns associated with specific threat actors or groups of threat actors. TTPs are useful for assessing threats and characterizing threat actors, and security professionals can also utilize them to bolster an organization's security architecture. The term tactics refers to a set of rules that specify how an attacker performs. The term techniques refers to an attacker's technical approaches to achieving intermediate results during an attack.

TTPs should be understood by organizations in order to secure their networks from threat actors and prospective attacks. TTPs allow enterprises to block assaults at the outset, protecting the network from catastrophic harm. They help you understand the mindset of an attacker and predict what an attacker might try to do next.

Adversary behavior identification

The process of identifying the common tactics or strategies used by an adversary to conduct attacks on an organization's network is known as adversary behavioral identification. It provides security professionals with information on upcoming threats and exploits. It aids in the planning of network security architecture and the adaptation of a variety of security procedures as a defense against various cyberattacks. Common behaviors to watch out for include the following.

Internal reconnaissance

At this stage, the attacker collects internal information about a target network to be able to move through the network. The attacker will do reconnaissance internally –enumeration of systems and hosts, and looking out for different types of commands that are being issued on the target's network, including activities such as attempting to resolve hostnames or IP addresses. Activating remote systems is beneficial for averting this.

PowerShell

PowerShell is a great automation tool for users, but attackers exploit it as an automation tool to transfer data from the target network (data exfiltration) and to launch further attacks. Monitoring PowerShell transcript logs and Windows event logs can help identify the presence of an attacker.

The command-line interface processes

Attackers use command-line tools to gain access to target systems – to read files or their contents, modify files, create accounts, and so on. They're very easy to do from a command-line interface. Security professionals detect this behavior by looking for logs with process IDs that bear unfamiliar numbers and letters. Malicious files getting downloaded is also a pointer to this type of attack.

Suspicious proxy events

The adversary tries to create and configure multiple domains pointing to the same host to allow fast switches between domains. In this kind of attack, speed is of the essence for attackers. They have to switch quickly to elude security professionals. To catch them, check the data feeds that are generated by those domains to find unspecified domains.

HTTP user agent

In HTTP-based communication, the server identifies the connecting HTTP client using a user agent field. Attackers modify the content of the HTTP user field to communicate with any system that may be compromised or have a vulnerability to carry out attacks against it.

CNC servers

Attackers use CNC servers to communicate remotely to the systems that they've compromised. They do this through an encrypted session. To stop them in their tracks, a security professional needs to be on the lookout for unwanted open ports, encrypted traffic – especially outbound connection attempts – and so on.

DNS tunneling

Intruders use DNS tunneling to hide malicious traffic. An intruder can communicate with a CNC, bypassing security controls to grab data off of the target systems, and so on. Unfortunately, because it's in a DNS tunnel, it just looks like normal DNS traffic going through the network.

Web shell

Here, attackers use web shells to change the web server by creating a shell within the website itself, allowing them remote access to the functionality of the target server. A security professional can identify web shells running in a network by analyzing server logs, error logs, and suspicious streams that might pop up on this, such as user agent strings.

Data staging

Once intruders gain access to a target network, they stage or create different data-staging techniques to collect and combine as much information or data as they can. They can collect financial information, data about customers, employees, business models, tactics, and so on.

Most IT professionals deploy or create network infrastructure layouts to track their networks. Once intruders gather this information, they exfiltrate data or destroy it. To prevent this, security professionals look at event logs, and for data-staging areas by monitoring network traffic for malicious files.

Historically, security tools have depended on the identification of malware signatures, but there's little chance of this type of detection beating an experienced attacker. They know better than to use outdated tactics. It's very unlikely they will use tools that can be found in a database of known file-based malware, which explains why threat research has moved beyond the identification of static malware signatures.

Indicators of compromise

An Indicator of Compromise (IoC) is a residual sign that an asset or network has successfully been attacked or is being attacked. Often, an IoC can be identifiable because intruders are using some type of tool that leaves behind an ID, such as a malware signature.

Most IoCs require subjective judgment calls based on the security professional's experience and knowledge of the target system, because these IoCs are mostly identified through suspicious activities – not obvious incidences. It's also important to note that there are multiple targets and vectors of an attack, and potential IoCs will be different too. Correlating multiple IoCs to produce a complete and accurate narrative of events is key.

Common IoCs

Let's look at some common IoCs:

  • Unauthorized software or unauthorized files
  • Suspicious emails
  • Suspicious registry or filesystem changes
  • Unknown ports and protocol usage
  • Excessive bandwidth usage – especially on the outbound side
  • Rogue hardware devices
  • Service disruption and defacement, maybe of a web page
  • Suspicious or unauthorized account usage

Multiple IoCs can be linked to identify a pattern of an attacker's behavior. This behavioral analysis can then be used to model threats and perform proactive threat hunting.

One way of identifying a threat is associating indicators you discover in your logs with reputation data. A reputation threat research source will identify IP address ranges to a DNS domain that's associated with malicious activities, such as sending spam or a particular Dynamic Denial-of-Service (DDoS) attack.