Custom protocol
Threat actors may create custom protocols to thwart security controls from reading/interpreting the data in transit.
Common types
- TCP
- Traffic over port 443 that is not HTTPS
Malware/Threat actors
| Name | Type | Years | Source |
|---|---|---|---|
| Wild Neutron | threat actor | 2013-2015 | WildNeutron_Economic_espionage.pdf
ICIT-Brief-Know-Your-Enemies-2.0.pdf |
| icefog | threat actor | 2013 | icefog.pdf
stamp.jsp?tp=&arnumber=7460498&tag=1 |
| APT1 | threat actor | 2006-2013 | Mandiant_APT1_Report.pdf
|
| Duqu Trojan | malware | 2010 | Duqu_Trojan_Questions_and_Answers.pdf
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf stamp.jsp?tp=&arnumber=7460498&tag=1 |
| Turbo | malware | 2015 | TA_Fidelis_Turbo_1602_0.pdf
|
Preventions
<Mitigation techniques>
Detections
During the encryption handshake in protocols like TLS, SSL, and SSH look for encryption suites and ciphers that are new to the environment.
Toolkit
<Toolkit instructions, if applicable>