| Explanation & Hint:
Threat actors often use common network protocols to exfiltrate data because they can blend in with normal traffic and may not be blocked by firewalls. Two protocols that can be used for this purpose are:
- DNS (Domain Name System): Because DNS requests are usually allowed out of networks and can be difficult to monitor due to their high volume, DNS queries can be used to covertly send data to an external server controlled by the attacker. This technique involves encoding data within DNS query requests or responses, which can then be reconstructed outside the network.
- HTTP (Hypertext Transfer Protocol): HTTP is commonly used for web traffic, which makes it a prime candidate for data exfiltration. Malicious data can be embedded in HTTP requests and responses, and since web traffic is very common, it might not be flagged as suspicious. Additionally, if the communication is encrypted using HTTPS, it becomes even harder to detect the malicious content without SSL/TLS inspection.
The other protocols listed can potentially be used for exfiltration as well, but they are not as commonly used for disguising traffic as normal activity:
- Syslog: While syslog is used for logging events and messages, it is not commonly used for exfiltration due to its easier detection and less frequent use across external network boundaries.
- SMTP (Simple Mail Transfer Protocol): SMTP is used for sending emails and could be used for data exfiltration; however, it would typically be more conspicuous than DNS or HTTP traffic because large amounts of outgoing email could raise suspicions.
- NTP (Network Time Protocol): NTP is used for time synchronization and is not typically used for data exfiltration due to the limited amount of payload data that can be sent. However, it can be used for smaller data leaks or for other malicious activities such as DDoS attacks.
|