Commonly Used Port

00:00

hello and welcome to another application of the minor attack framework discussion

00:06

Today. We're going to be looking at commonly used ports.

00:10

So two days objectives air pretty straightforward. We're really just going to describe commonly used ports at a high level. We're gonna jump straight into mitigation technique and detection techniques as well. So commonly used ports are essentially the ports that we typically see when it comes to

00:29

networking and things of that nature.

00:31

But threat actors usually communicate over common ports to try and bypass firewall controls and things of that nature and to blend into normal activity. And so such ports can be things like Http and https, which

00:45

are typically open to allow and users to get to the Web and to perform Web based transactions.

00:52

SMTP and DNS

00:54

both on TCP and UDP Port 53 we've got RPC s Cessation Rdp as well, which can be used by threat actors of a number of scenarios to again attempt to bypass control mechanisms and to seem like they're blending in with normal traffic. Now,

01:12

if you want to know Maura about TCP UDP ports DNS. Http, any number of things were mentioning here. There are a number of other courses and subject matter areas where they focus specifically on common protocols and things of that nature. And I do encourage you

01:29

to look into those materials if you're interested in learning more about networking and

01:34

these protocols, so we're gonna jump again straight into mitigation techniques here.

01:40

Now, network intrusion prevention can be used to stop some forms of commanding control activity. It looks for signatures and some things that are indicators of compromise, and it will attempt to block that activity outright. Network segmentation is also useful to block trafficker protocols

01:57

that do not need access to other systems. And so we're talking like lease privilege

02:01

amongst systems. Hardware software doesn't do more than it needs to do to function and communicate. And then the excess protocols are shut down or are not used to reduce the capabilities that the Threat actor would have to circumvent controls or go unnoticed on the network

02:20

Now detection techniques. In this case, we're going to involve monitoring network data communications to look for uncommon data flows, things of that nature, such as packet sizes that seem to be too perfectly sized or shaped inconsistent activity

02:36

that maybe is above and beyond your baseline that you've got for your network activity.

02:39

And so having some others things in place is going to help you to identify. Maybe if a threat actors on your network and what it is that they're doing

02:49

now, let's do a quick check on learning True or false threat. Actors will not use common ports to bypass firewall traffic as doing so is a high risk.

02:59

All right, well, if you need additional Tom, please pause this video. So threat actors will in fact use common ports to bypass possible traffic on day. Do this to try and reduce the risk that they'll be detected. And so this is a false statement

03:15

in most cases, if if network traffic starts to become anomalous or starts to use weird port numbers, things that nature that aren't common for that business or those systems

03:25

that would likely get flagged and investigated by the security staff or the network administration staff.

03:32

Now in summary of today's discussion, we describe commonly used ports at a high level. We looked at some mitigation techniques such as network intrusion, prevention and things of that nature, and we looked at some detection techniques as well. So with that in mind, I want to thank you for your time today.

03:53

And I look forward to seeing you again