Network-Related Malicious Indicators
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
Every action taken by a threat actor on a network requires the manipulation of electrons or photons across a physical medium. Because of this absolute physical limitation, perfectly invisible attacks do not exist. To move laterally, to extract data, or to receive instructions, an adversary must generate network traffic, leaving behind distinct mathematical and structural anomalies. The discipline of security monitoring is the act of studying this telemetry, much like an astrophysicist studies the spectral lines of distant stars, to infer the presence of phenomena we cannot observe directly. By rigorously evaluating the dimensions of time, volume, protocol structure, and spatial origin within our packets, we can consistently detect unauthorized intrusion long before a final objective is achieved.

When a machine in your environment is successfully compromised, the malware rarely possesses all the instructions it will ever need. It must establish communication with its master. Beaconing is a pattern of regular network traffic sent by malware to a command and control server. Threat actors use beaconing to check for new commands from a remote command and control (C2) server or to send brief status updates.
If we were to plot this traffic on a timeline, analyzing network flow data for consistent time intervals between packets reveals malicious beaconing activity. A machine reaching out to an external IP address exactly every 60 seconds is not exhibiting human behavior; it is executing a rigid algorithmic loop.

Adversaries, however, are aware that security analysts look for these highly predictable pulses. To counter our detection, they introduce a mathematical variance known as jitter.
Jitter is a deliberate randomization applied to beaconing intervals to evade time-based detection mechanisms.
By applying jitter, the malware modifies the exact timing of network beacons so the traffic does not appear strictly periodic to monitoring tools. A 60-second beacon with a 20% jitter might fire at 58 seconds, then 64 seconds, then 51 seconds. To detect these obfuscated rhythms, we rely on specialized analytical tools. Zeek is an open-source network security monitoring tool commonly used to extract protocol-level metadata for beaconing analysis. Once Zeek generates this high-fidelity metadata, analysts frequently ingest it into Real Intelligence Threat Analytics (RITA), an open-source tool specifically designed to detect beaconing behavior in network traffic logs by looking for subtle statistical periodicities even when jitter is present.
Network traffic is subject to the normal ebbs and flows of human working hours and automated business processes. To detect anomalies, we must first mathematically define what is normal. Baseline traffic analysis compares current network utilization against historical norms to identify unusual spikes. When traffic deviates wildly from the established baseline, the direction of the spike tells a distinct story about the adversary's intent.
| Traffic Direction | Volumetric Anomaly | Security Implication |
|---|---|---|
| Outbound | Unusual spike to external IP addresses | An unusual spike in outbound network traffic can indicate active data exfiltration by an attacker packaging and stealing sensitive data. |
| Inbound | Massive, sustained external traffic hitting the perimeter | Distributed Denial of Service (DDoS) attacks typically manifest as massive, sustained spikes in inbound network traffic intended to exhaust resources. |
| Internal | Sudden spike between internal hosts (e.g., Subnet A to Subnet B) | A sudden increase in internal network traffic volume often points to lateral movement as attackers scan or copy tools to adjacent systems. |
| Internal | Sudden, exponential multi-host spike | A sudden increase in internal network traffic volume can indicate active worm propagation, such as ransomware auto-spreading across the domain. |

Volumetric analysis also applies to specific protocols. For example, Internet Control Message Protocol (ICMP) is typically a low-volume diagnostic tool. Unexpected ICMP traffic spikes can indicate a ping flood denial-of-service attack, meant to overwhelm a firewall's state table. Alternatively, unexpected ICMP traffic spikes can indicate unauthorized network mapping activities, where an attacker is conducting a sweeping ping-sweep to discover live hosts.
The traditional perimeter security model heavily monitors traffic moving from the inside to the outside. This model fails entirely when the threat originates from physically inside the facility. A rogue device is an unauthorized piece of hardware connected to a corporate network. Rogue devices can bypass perimeter security controls by operating directly within the trusted internal network, effectively neutralizing expensive external firewalls.
Consider the physical manifestations of a rogue device:
- Unauthorized Wireless Access Points: An unauthorized wireless access point connected to a wired corporate network is classified as a rogue device. It extends your secure wired network out into the corporate parking lot, completely unencrypted.
- Rogue DHCP Servers: A rogue DHCP server assigns incorrect IP configurations to clients to facilitate man-in-the-middle attacks. When a legitimate machine requests an IP address, the rogue server races to reply first, assigning itself as the default gateway and silently capturing all outbound traffic.

To hunt for rogue devices, security teams use MAC address filtering to detect unknown physical addresses associated with rogue devices. If an unapproved MAC address appears on a switch port, an alert triggers. However, physical addresses are easily manipulated in software; attackers frequently spoof MAC addresses to make a rogue device mimic a legitimate authorized endpoint (such as a VoIP phone or a network printer).
Because MAC filtering is relatively fragile, modern environments implement Network Access Control (NAC) systems. NAC goes beyond physical addresses, requiring cryptographic authentication (like 802.1X). NAC systems automatically quarantine devices lacking proper authorization credentials, placing them in a dead-end VLAN until identity is proven.

To effectively defend a network, you must understand its designed architecture. Most enterprise networks operate on a strict client-server model: workstations talk to file servers, domain controllers, and the internet. They rarely have a legitimate reason to talk directly to one another. Consequently, workstation-to-workstation traffic is generally considered anomalous in standard client-server enterprise architectures.

When an attacker compromises a single endpoint, they rarely land on the exact server holding the data they want. They must pivot. Detecting lateral movement often involves analyzing irregular connections over protocols like Server Message Block (SMB). If Workstation A suddenly initiates an SMB file share connection to Workstation B, C, and D, you are likely observing an adversary attempting to pass-the-hash or execute remote services.
Similarly, peer-to-peer (P2P) traffic fundamentally violates the client-server hierarchy. Irregular peer-to-peer communication within an enterprise network often indicates unauthorized file sharing (such as BitTorrent clients violating acceptable use policies). From a more severe threat perspective, irregular peer-to-peer communication within an enterprise network can indicate decentralized botnet activity. Malware uses peer-to-peer protocols to distribute updates across infected hosts without relying on a central server, making the malicious infrastructure highly resilient to C2 takedowns.

Attackers know that SOC analysts monitor network boundaries for strange protocols. Therefore, they hide their traffic inside mechanisms we are forced to allow, or they manipulate the rules governing port-based access controls.
Bypassing Port Controls
Traditionally, firewalls allowed or blocked traffic based on TCP/UDP port numbers. Therefore, traffic communicating over non-standard ports indicates potential malicious activity, or it can indicate unauthorized applications bypassing security policies (e.g., an employee running a personal web server on port 8080).
However, attackers easily adapt by running malicious traffic over standard, allowed ports. Secure Shell (SSH) traffic observed on port 80 is an example of a protocol mismatch used for evasion. The firewall sees port 80 and assumes it is benign HTTP web traffic, allowing it through. To defeat this, modern firewalls utilize deep packet inspection. Protocol analyzers detect protocol mismatches by inspecting application-layer packet headers regardless of the port, correctly identifying the SSH handshake and terminating the anomalous session.

Furthermore, analyzing the cryptographic nature of traffic is critical. Unexpected cleartext network traffic can indicate a system misconfiguration (such as a developer forgetting to enforce TLS). More maliciously, unexpected cleartext network traffic can indicate an active downgrade attack by a threat actor, who forces the client and server to abandon encryption so the attacker can parse the intercepted data. For deliberate anonymization efforts, analysts must also watch for known privacy overlays; the presence of Tor exit node IP addresses in network logs indicates attempts to anonymize network traffic, hiding the true destination of data exfiltration or C2 communication.

The Abuse of Domain Name Systems
Because nearly all modern enterprise networks require DNS resolution to function, DNS traffic is universally permitted to leave the environment. Attackers extensively abuse this necessity.
DNS tunneling encapsulates non-DNS traffic within DNS queries and responses. Attackers use DNS tunneling to bypass egress firewall restrictions by hiding their data within the text fields of the DNS protocol. Because the payload is stuffed into the hostname itself, extremely long subdomains in DNS queries are a primary indicator of DNS tunneling.
Example of a DNS Tunneling Query:
a34b91c8x7.data-exfiltration-chunk-44.attacker-domain.com

Attackers also manipulate DNS to maintain the resilience of their infrastructure. Instead of hardcoding a single C2 domain (which a defender could easily block), malware uses Domain Generation Algorithms (DGA) to dynamically create new command and control domains daily, or even hourly. Randomly generated subdomains in DNS queries often indicate the use of Domain Generation Algorithms. Because the malware and the threat actor share the same mathematical seed, they both know which random-looking domain will be active at precisely 14:00 hours today. Domain Generation Algorithms help malware evade static domain blocklists, requiring defenders to shift away from simple lists of bad domains and toward behavioral analytics and entropy scoring to identify malicious intent.