1. Reputation of destination IPs and domains
• Send IP addresses and DNS names to your SIEM for comparison to black lists
• Look at low volume outliers New IPs and DNS names
2. DNS queries from clients on your network
• First, simply look for outbound DNS queries originating from internal IP not your internal DNS server (domain controller)
• Look at the domain names
• Easy to recognize algorithm generated domain names
3. Suspect traffic patterns
• Look at your destination ports
• Weird outbound protocols and times
• Look at application / protocol mismatches
• Bandwidth imbalance
• Much more outbound than for normal web browsing
• https traffic a black box?
• Think again. Options
• Put an SSL decryptor between endpoints and Internet
• Alert on applications that fail to work with decryptor
• Wealth of information available to analyze even on undecrypted https connections
• Server certificate
• Does it match the DNS name?
• Who is the certification authority?
• Is it self-signed?
4. Unrecognized protocols
• Unknown outbound ports
• SSL traffic that bypasses your proxy server
5. Masquerading protocols
• Traffic doesn’t match application associated with the port
• Why are 7 different apps running on port 53?
6. Known signatures
• This tends to be least effective unless you have a feed of constantly updated rules from proprietary intelligence provider
• Can generate a lot of false positives
• But careful use can be valuable
7. Prohibited protocols
8. DLP indicators
• Searching data payloads for PII patterns
• Regular expressions
• Keywords relevant to proprietary information of your organization
• SSL decryptors helpful here