D3-ANAA
Definition
Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
How it works
Network protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity.
Considerations
•Administrative traffic can be encrypted, making network protocol analysis a challenge
•False alarms can be mitigated by integration with inventory management systems
Artifact Relationships
This defensive technique relates to specific digital artifacts.