Skip to main content

High volume of outbound traffic over FTP

ID:high_volume_ftp
Data type:IP
Severity:
Medium
MITRE ATT&CK:TA0010:T1048

Description

AlphaSOC detected unusual outbound File Transfer Protocol (FTP) traffic. Threat actors often use OSI application layer protocols such as FTP to exfiltrate data from compromised systems or to communicate with compromised systems within a victim's network. This allows them to blend malicious activity with legitimate traffic and avoid detection.

Impact

Unexpected outbound FTP traffic may indicate ongoing communication with a command and control (C2) server or an attempt to exfiltrate data. This can result in the loss of sensitive data, intellectual property theft, or compliance violations.

Severity

SeverityCondition
Medium
Suspicious outbound FTP traffic

Investigation and Remediation

Investigate the source and destination of FTP traffic and verify whether it's authorized. Review logs to identify transferred files. If traffic is determined to be unauthorized, block it and isolate affected systems. Determine the extent of data loss and potential system compromise. To prevent future incidents, implement strict firewall rules to control outbound FTP traffic.

Known False Positives

  • Legitimate file transfers by employees or automated systems using FTP
  • Backup processes using FTP to transfer data to offsite storage
  • Developers using FTP for version control or code deployment
  • Scheduled data synchronization between systems using FTP