{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-secure-access-firewall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Cisco Secure Access Firewall","Palo Alto Network Traffic"],"_cs_severities":["medium"],"_cs_tags":["network-traffic","command-and-control","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Splunk","Cisco","Palo Alto"],"content_html":"\u003cp\u003eThis detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates ICMP traffic to an external IP address.\u003c/li\u003e\n\u003cli\u003eThe ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.\u003c/li\u003e\n\u003cli\u003eThe compromised host uses ICMP for command and control, receiving instructions from the external attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect Large ICMP Traffic\u003c/code\u003e rule, focusing on the source and destination IPs involved.\u003c/li\u003e\n\u003cli\u003eExamine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.\u003c/li\u003e\n\u003cli\u003eUtilize the provided search \u003ccode\u003eView the detection results\u003c/code\u003e to review related events and potential lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the provided search \u003ccode\u003eView risk events\u003c/code\u003e to look at risk factors for the involved assets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-large-icmp-traffic/","summary":"This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.","title":"Large ICMP Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco Secure Access Firewall","version":"https://jsonfeed.org/version/1.1"}