Episode 26: Network-Based Indicators of Malicious Activity
Episode 26: Network-Based Indicators of Malicious Activity
Welcome to Episode Twenty-Six of your CYSA Plus Prep cast. In this episode, we’ll focus on one of the most critical skill sets in a cybersecurity analyst’s toolkit—identifying network-based indicators of malicious activity. These indicators, also known as network Indicators of Compromise, are the signs and signals that suggest threat actors are probing, infiltrating, or actively exploiting network infrastructure. As defenders, analysts must be able to recognize these clues in near real-time and respond swiftly to contain the damage, investigate the root cause, and prevent further escalation. Whether through logs, traffic captures, alerts, or flow data, analysts are constantly working to identify these behaviors and understand what they signify. Mastering this area is not just vital for the CYSA Plus exam but is foundational to daily work in a Security Operations Center.
Let’s begin by defining network-based indicators of malicious activity. These are behavioral clues and technical signatures that suggest a network may be under attack or has been compromised. These indicators are observable through network monitoring tools, intrusion detection systems, or SIM solutions and often involve abnormal communication patterns, unusual data transfers, or unauthorized device connections. While no single indicator is a guarantee of malicious intent, when combined, they form a picture that allows analysts to make informed decisions. The exam will expect you to recognize both individual indicators and how they correlate with common attack techniques.
One of the first signs analysts look for is unusual bandwidth consumption. A sudden spike in outbound traffic, especially from endpoints that typically do not send large volumes of data, may indicate a data exfiltration attempt. Conversely, high inbound traffic could signal the beginning of a Distributed Denial of Service attack. In both cases, the traffic patterns deviate from established baselines. Analysts monitor bandwidth using NetFlow data, network monitoring dashboards, or alerts configured within SIMs. The exam may present bandwidth graphs or summaries and ask you to identify which pattern reflects a potential security incident.
Beaconing is another critical indicator. This involves repetitive, periodic connections from a compromised system to an external server. These connections are usually associated with command-and-control infrastructure, where malware calls home to receive instructions or deliver stolen data. The pattern may appear subtle—such as connections every five minutes to the same IP—but over time, it becomes detectable through analysis of destination frequency, timing, and volume. Analysts use tools like Zeek or flow analytics platforms to detect beaconing. Expect questions that ask you to identify beaconing behaviors in flow logs or suggest countermeasures once beaconing is detected.
Irregular peer-to-peer communication can also indicate malicious behavior. Most enterprise systems should not initiate peer-to-peer traffic unless configured to do so, such as in file-sharing platforms or backup networks. When systems begin broadcasting or opening random ports for P2P connections, it may suggest malware propagation, botnet enrollment, or unauthorized file sharing. Analysts monitor port activity, communication protocols, and service usage to identify these anomalies. You may be tested on how to detect or investigate unauthorized P2P activity or how to block it at the firewall level.
Rogue devices present a significant risk. These include unauthorized laptops, IoT devices, or mobile phones that connect to the network without proper authorization. Such devices may be infected, misconfigured, or operated by malicious insiders. Analysts must regularly scan the network for new MAC addresses, unknown hostnames, or devices without endpoint protection agents. NAC solutions help detect and isolate rogue devices before they pose a threat. The CYSA Plus exam may challenge you to identify how rogue devices are detected or what steps to take upon discovery.
Another common sign of an impending attack is network scanning. When an attacker is performing reconnaissance, they will often use port scans, ping sweeps, or service enumeration to map the network and identify vulnerable targets. Analysts use IDS systems like Snort or Suricata to detect scanning behavior, watching for patterns like repeated SYN packets or connections to multiple hosts on the same port. Detection of scanning is an early warning and allows analysts to block source IPs, escalate investigations, or deploy deception techniques. You’ll likely encounter questions asking how to differentiate legitimate scanning from malicious reconnaissance.
Traffic directed toward known malicious IP addresses is another strong indicator. If an endpoint initiates a connection to a blacklisted IP address or a domain previously linked to malware distribution, there is a high probability that the system is compromised. Analysts use threat intelligence feeds to identify these risky destinations and configure alert rules within SIMs to trigger investigations when such connections occur. Some tools can block access in real time or redirect traffic for deeper inspection. Expect to be asked how to respond to alerts related to communication with known bad infrastructure.
Another critical network indicator is unexpected use of uncommon ports. While some ports are associated with legitimate services, like port 443 for HTTPS or port 22 for SSH, traffic on non-standard ports—especially from endpoints that should not be using them—often signals attempts to bypass security controls. Malware may use obscure ports to evade detection or to exfiltrate data. Analysts must know how to identify traffic on unexpected ports, trace its origin, and determine whether it aligns with known threat behaviors. The exam will likely include traffic logs or SIM alerts showing port usage that you must evaluate for potential risk.
Analysts must also be adept at identifying signs of data exfiltration. This involves large volumes of outbound traffic, encrypted channels used at unexpected times, or connections to unfamiliar remote destinations. Some attackers throttle their data exfiltration to avoid triggering bandwidth alarms, so analysts must correlate multiple indicators such as timing, volume, and destination. Anomalies in data transfer timing—such as large uploads during off-hours—or files being sent from servers that normally do not transfer data externally are red flags. Be prepared to analyze these patterns on the exam.
Another sophisticated technique is the use of Domain Generation Algorithms. Malware authors use DGAs to generate thousands of potential domain names in an attempt to evade static blacklists. These domains often have random strings, change frequently, and result in frequent failed DNS queries. Analysts detect DGA activity by reviewing DNS logs, identifying repeated queries to unusual domains, and analyzing entropy in domain names. CYSA Plus exam questions may ask how DGAs function or what steps analysts can take to identify them through DNS analysis.
For more cyber related content and books, please check out cyber author dot me. Also, there are more security courses on Cybersecurity and more at Bare Metal Cyber dot com.
Now that we’ve covered foundational indicators such as unusual bandwidth consumption, beaconing, rogue devices, and DGAs, let’s expand into additional patterns that security analysts must recognize when investigating potential intrusions. These advanced network-based indicators often go unnoticed in noisy traffic unless analysts are trained to look for the right signs. Being able to detect subtleties like DNS tunneling, protocol misuse, or spoofing attempts can make the difference between early containment and a full-scale breach. In this section, we’ll focus on nuanced indicators that are commonly exploited by threat actors and frequently tested on the CYSA Plus exam.
DNS tunneling is one such covert channel used by attackers to bypass firewalls and exfiltrate data by encoding payloads inside DNS queries and responses. Since DNS traffic is typically allowed out of networks without restriction, it becomes a convenient channel for command-and-control communication or even data theft. Analysts must be able to identify DNS traffic that contains abnormal query lengths, nonstandard subdomains, or frequent DNS requests to a single domain. Tools like passive DNS monitoring platforms or intrusion detection systems can flag these patterns. Expect the exam to present DNS logs or packet samples that you must analyze for signs of tunneling activity.
Latency anomalies are another important indicator. Malware infections, DDoS attacks, or unauthorized resource consumption can cause systems or networks to respond slower than usual. Analysts must regularly monitor latency baselines and investigate unexpected increases. Spikes in response times might reveal systems under heavy load due to malicious processes or systems participating in botnet activity. Even mild but persistent degradation of service may indicate stealthy ongoing data exfiltration. The exam may include questions that correlate latency metrics with other logs to determine whether performance issues are linked to security incidents.
Address Resolution Protocol spoofing, also called ARP poisoning, is a technique where an attacker sends false ARP messages to a local network. This allows them to intercept traffic between systems, perform man-in-the-middle attacks, or disrupt communications. Analysts must watch for duplicate MAC addresses, mismatched IP-to-MAC associations, or frequent ARP replies from unknown systems. Network monitoring tools and ARP inspection features on switches can help detect these anomalies. The CYSA Plus exam may include scenarios where ARP cache entries reveal manipulation, prompting you to select the best containment method.
Misuse of network protocols is another red flag. While protocols like SSH, RDP, FTP, and SMTP serve legitimate purposes, their use in unexpected contexts often signals malicious intent. For example, RDP access from external networks or unauthorized use of FTP from an endpoint that does not serve files may indicate lateral movement or data theft. Analysts must audit protocol usage regularly, block unnecessary services at the firewall, and correlate user behavior with protocol usage. The exam may test your ability to identify when protocol usage is suspicious or which action to take based on protocol-related logs.
Geographic anomalies can also highlight compromise. Connections originating from countries not associated with your organization’s operations—or logins from different countries within minutes of each other—should prompt investigation. Analysts use geolocation data to evaluate IP origin, comparing it to normal user activity. Cloud accounts accessed from unfamiliar regions or internal systems initiating sessions across continents without prior pattern may indicate credential theft. SIMs and cloud monitoring tools often include geolocation tags for alerting. Be ready on the exam to identify geographic irregularities from log samples or alert descriptions.
Abnormal HTTP and HTTPS traffic is another key indicator. Suspicious user-agent strings, malformed HTTP headers, and excessive HTTP POST requests may be signs of web-based attacks or data exfiltration. Analysts look for patterns such as repeated failed login attempts, long URL parameters that may contain encoded payloads, or usage of web shells to control compromised systems. These activities often show up in web server logs or firewall traffic logs. The exam might present web access logs and challenge you to spot irregularities or explain their significance.
Payload inspection, often performed through deep packet inspection, helps analysts detect unauthorized activity within network traffic. While encryption limits the ability to inspect content, headers and metadata can still offer clues. Analysts must understand how to identify protocol violations, malformed packets, or payloads that do not match expected content types. For example, detecting an executable being sent over an unencrypted HTTP session should trigger concern. SIM tools often aggregate these anomalies and tag them with known exploit patterns. On the exam, expect questions that evaluate your knowledge of payload analysis techniques and their role in intrusion detection.
Authentication failures, especially in high volume or from multiple systems, are a strong indicator of brute-force or credential-stuffing attacks. Analysts track these failures by monitoring domain controllers, VPN appliances, and cloud access logs. Patterns to look for include hundreds of failed logins over a short period, attempts from unusual IP addresses, or repeated failures on non-existent usernames. These activities often trigger account lockouts, which are useful indicators of attack. The exam may include logs showing failed login trends and ask which type of attack is underway or which mitigation should be prioritized.
Traffic to and from anonymizing services like the Tor network or unauthorized VPNs can signal an insider threat or compromised system attempting to disguise its behavior. Analysts must configure monitoring tools to detect traffic to known Tor exit nodes, VPN endpoints, or proxy services. While some users may legitimately use these tools, unauthorized connections from endpoints within enterprise networks should be investigated immediately. These connections often indicate attempts to bypass firewalls, mask exfiltration, or evade detection. Be prepared to interpret network logs showing anonymized connections and determine appropriate next steps.
Finally, changes in traffic encryption patterns may indicate covert activity. While encryption is a standard part of securing data, sudden changes—such as a system that previously used plaintext suddenly sending encrypted data to a new domain—can indicate tunneling or command-and-control communication. Similarly, the use of nonstandard or deprecated encryption protocols can expose systems to exploitation. Analysts must monitor for unauthorized protocol use and evaluate when encryption itself becomes suspicious. The exam might include SSL or TLS traffic examples and ask you to assess whether the usage represents a risk.
To summarize, cybersecurity analysts must master the identification of both basic and advanced network-based indicators of compromise. From scanning and beaconing to DNS tunneling and suspicious encryption patterns, every piece of traffic tells a story. Analysts must know how to read that story, connect the clues, and initiate a proper response. Recognizing these indicators early helps prevent escalation, supports effective investigation, and minimizes damage. Practice correlating network traffic logs, understanding what patterns to look for, and configuring tools for maximum visibility to fully prepare for both the exam and real-world challenges.
