Classification:

attack

Tactic:

TA0010-exfiltration

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the suricata integration.

Goal

Detect scenarios where an unusually high number of bytes are being sent out from a server, which could indicate data exfiltration or other malicious activities.

Strategy

Monitor Suricata logs where the outgoing data from a server seems unusual. This could be indicative of data exfiltration attempts, malware communication, or other suspicious activities that require immediate investigation.

Triage and response

1. Identify if the server typically handles high volumes of outbound traffic.
2. Verify whether the Client IP {{@network.client.ip}} is internal or external.
   • For internal IPs, identify the corresponding host and collaborate with the owner to investigate the unusual data transfer from the server.
   • For external IPs, assess the IP address reputation.
3. Review Client’s IP {{@network.client.ip}}, port {{@network.client.port}}, and protocol {{@suricata.proto}} to identify unexpected destinations or sensitive data transfers.
4. If malicious activity is confirmed, block Client IP {{@network.client.ip}}, isolate the server, and capture traffic for analysis.
5. Inform IT security teams and management about the incident and actions taken.