8 hours 28 minutes

Video Transcription

hello and welcome to another application of the minor attack framework discussion
Today. We're going to be looking at commonly used ports.
So two days objectives air pretty straightforward. We're really just going to describe commonly used ports at a high level. We're gonna jump straight into mitigation technique and detection techniques as well. So commonly used ports are essentially the ports that we typically see when it comes to
networking and things of that nature.
But threat actors usually communicate over common ports to try and bypass firewall controls and things of that nature and to blend into normal activity. And so such ports can be things like Http and https, which
are typically open to allow and users to get to the Web and to perform Web based transactions.
both on TCP and UDP Port 53 we've got RPC s Cessation Rdp as well, which can be used by threat actors of a number of scenarios to again attempt to bypass control mechanisms and to seem like they're blending in with normal traffic. Now,
if you want to know Maura about TCP UDP ports DNS. Http, any number of things were mentioning here. There are a number of other courses and subject matter areas where they focus specifically on common protocols and things of that nature. And I do encourage you
to look into those materials if you're interested in learning more about networking and
these protocols, so we're gonna jump again straight into mitigation techniques here.
Now, network intrusion prevention can be used to stop some forms of commanding control activity. It looks for signatures and some things that are indicators of compromise, and it will attempt to block that activity outright. Network segmentation is also useful to block trafficker protocols
that do not need access to other systems. And so we're talking like lease privilege
amongst systems. Hardware software doesn't do more than it needs to do to function and communicate. And then the excess protocols are shut down or are not used to reduce the capabilities that the Threat actor would have to circumvent controls or go unnoticed on the network
Now detection techniques. In this case, we're going to involve monitoring network data communications to look for uncommon data flows, things of that nature, such as packet sizes that seem to be too perfectly sized or shaped inconsistent activity
that maybe is above and beyond your baseline that you've got for your network activity.
And so having some others things in place is going to help you to identify. Maybe if a threat actors on your network and what it is that they're doing
now, let's do a quick check on learning True or false threat. Actors will not use common ports to bypass firewall traffic as doing so is a high risk.
All right, well, if you need additional Tom, please pause this video. So threat actors will in fact use common ports to bypass possible traffic on day. Do this to try and reduce the risk that they'll be detected. And so this is a false statement
in most cases, if if network traffic starts to become anomalous or starts to use weird port numbers, things that nature that aren't common for that business or those systems
that would likely get flagged and investigated by the security staff or the network administration staff.
Now in summary of today's discussion, we describe commonly used ports at a high level. We looked at some mitigation techniques such as network intrusion, prevention and things of that nature, and we looked at some detection techniques as well. So with that in mind, I want to thank you for your time today.
And I look forward to seeing you again

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica