Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation

In this lesson, you’ll learn about: Network Threat Analysis — understanding how common attacks and advanced malware appear in real traffic captures, and how to extract intelligence from them. Part 1 — Analysis of Common Network Threats 1. Network Scanning Techniques Attackers scan networks to discover targets, services, and vulnerabilities. Demonstrations cover several scanning styles: SYN / Half-Open ScanSends SYN packets without completing the handshake.Target responses reveal open vs. closed ports.Full Connect ScanCompletes the full TCP three-way handshake.More noticeable but highly accurate.Xmas Tree ScanUses abnormal TCP flags: FIN + PUSH + URG.Leveraged to probe how systems respond to malformed packets.Zombie / Idle ScanUses an unwitting third-party host (“zombie”) to hide attacker identity.Tracks incremental IP ID numbers to infer open ports.Network Worm Scanning (e.g., WannaCry)Worms scan many IPs for a single vulnerable port, such as SMB 445.High-volume, repetitive traffic is a key signature.2. Data Exfiltration (Covert Channels) Focus: understanding how attackers hide stolen data inside legitimate-appearing traffic. Covert SMB ChannelData leaked one byte at a time inside SMB packets.Requires:Reviewing thousands of similar packets,Extracting embedded data,Base64 decoding,Reversing the result,Revealing hidden Morse code.ICMP AbuseAttackers embed data into ICMP type fields, reconstructing files (e.g., a GIF).Difficult to detect because ICMP is normally used for diagnostics, not data transfer.3. Distributed Denial of Service (DDoS) Attacks Explains why DDoS attacks remain common—cheap cloud resources, insecure IoT devices, accessible botnets. Volumetric SYN FloodFloods a port (like HTTP 80) with incomplete handshakes.Exhausts server connection capacity.HTTP FloodSends massive amounts of GET/POST requests.Harder to distinguish from normal traffic.Amplification / Reflection AttacksSmall spoofed request → massive response to victim.Examples:Cargen protocol: 1-byte request → 748-byte response.Memcache: tiny request → multi-megabyte responses from cached data.4. IoT Device Exploitation Demonstration focuses on how attackers compromise weak devices such as DVRs.Many IoT devices use default credentials and insecure services like Telnet.Attack flow typically involves:Logging in via Telnet.Attempting to download malware (e.g., Mirai ELF binary).When automated delivery (TFTP) fails → manually reconstructing binaries using echo.Device joins a botnet and starts scanning other victims.Part 2 — In-Depth Malware Case Studies 1. Remote Access Trojans (RATs)Traffic begins with system information reporting from the infected host.Followed by persistent command-and-control (C2) communication.2. Fileless MalwareMalware runs directly in memory, leaving minimal filesystem artifacts.Often, network traffic is the only complete copy of the payload available.3. Network WormsAutomate scanning and propagation.Look for specific open ports, then exploit and install themselves.4. Multi-Stage MalwareDownloader retrieves multiple malware families.Identifying each stage helps determine full attack scope and remediation steps.Network traffic often reveals multiple URLs, payloads, or C2 servers involved.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy