1. Reputation of destination IPs and domains
• Send IP addresses and DNS names to your SIEM for comparison to black lists
• Look at low volume outliers New IPs and DNS names

2. DNS queries from clients on your network
• First, simply look for outbound DNS queries originating from internal IP not your internal DNS server (domain controller)
• Look at the domain names
• Easy to recognize algorithm generated domain names

3. Suspect traffic patterns
• Look at your destination ports
• Weird outbound protocols and times
• Look at application / protocol mismatches
• Bandwidth imbalance
• Much more outbound than for normal web browsing
• https traffic a black box?
• Think again. Options
• Put an SSL decryptor between endpoints and Internet
• Alert on applications that fail to work with decryptor
• Wealth of information available to analyze even on undecrypted https connections
• Server certificate
• Does it match the DNS name?
• Who is the certification authority?
• Is it self-signed?

4. Unrecognized protocols
• Unknown outbound ports
• SSL traffic that bypasses your proxy server

5. Masquerading protocols
• Traffic doesn’t match application associated with the port
• Why are 7 different apps running on port 53?

6. Known signatures
• This tends to be least effective unless you have a feed of constantly updated rules from proprietary intelligence provider
• Can generate a lot of false positives
• But careful use can be valuable

7. Prohibited protocols

8. DLP indicators
• Searching data payloads for PII patterns
• Regular expressions
• Keywords relevant to proprietary information of your organization
• SSL decryptors helpful here

Original Post: https://logrhythm.com/resources/webcasts/8-things-to-analyze-in-outbound-packets/