Large ICMP Traffic Detection

This detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.

Attack Chain

1. An attacker compromises a host within the network.
2. The compromised host initiates ICMP traffic to an external IP address.
3. The ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.
4. The attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.
5. The compromised host uses ICMP for command and control, receiving instructions from the external attacker.
6. The attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.
7. Sensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.

Impact

Successful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.

Recommendation

• Deploy the Sigma rule Detect Large ICMP Traffic to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.
• Investigate any alerts generated by the Detect Large ICMP Traffic rule, focusing on the source and destination IPs involved.
• Examine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.
• Utilize the provided search View the detection results to review related events and potential lateral movement.
• Implement the provided search View risk events to look at risk factors for the involved assets.