Triggers
- The host is communicating in an unusual manner with an internal server on a port that has previously shown a stable pattern for requests and responses
- The request sent to the internal server and the response received from it don’t conform to any of the previously observed patterns
Possible root Causes
- The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
- The client or the server has been recently upgraded and the pattern of use on the server port has changed
- This client has an unusual configuration in that it communicates with the port on the server in a manner unlike all the other observed communication on that port
Business Impact
- Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
- Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides
Steps to Verify
- See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
- Inquire whether the software which emitted the request on this host has recently been updated as this may cause detections for a short period of time after the update
- Inquire whether the software on the server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
- If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise