Threat Hunting for DDoS Activity and Geographic Irregularities


So there you are, sitting at your desk at the organization where you work as an information security professional. You are performing your usual monitoring duties when you notice that you have a high volume of network traffic coming from a part of the world that your organization does not do business with. This activity has generated multiple failed login attempts. Additionally, you notice that this activity has been coming from Romania, and some DNS requests are coming from domains with a .ru suffix. What should you do?

This article will detail threat hunting for DDoS and geographic irregularities. By the end of this article, you will know what to do about the question above.

What is a DDoS?

DDoS stands for distributed denial of service, and the purpose of a DDoS attack is an attempt to make a network, machine or resource unavailable. Generally speaking, DDoS attacks are smokescreens that hide other, far more serious threats. DDoS attacks operate by disabling communication services or by flooding the target machine with excessive requests to overload the system. Either way, the goal is to take the machine out (at least for a period of time).

How Common are DDoS Attacks?

DDoS attacks are considered some of the biggest cybersecurity threats to organizations in the world today. Half of all organizations today have been victims to DDoS attacks. 42% of organizations hit by DDoS attacks report that they were hit multiple times. In 2014 alone, it was reported that an average of 28 DDoS attacks per hour were occurring. This number is likely to be far higher today. By taking these facts to mind, you can start to see how serious DDoS attacks can be.

Indicators of Compromise

Indicators of Compromise, or IoCs, are network diagnostics representing forensic evidence or attacker (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: