High volume of outbound traffic over FTP
Description
AlphaSOC detected unusual outbound File Transfer Protocol (FTP) traffic. Threat actors often use OSI application layer protocols such as FTP to exfiltrate data from compromised systems or to communicate with compromised systems within a victim's network. This allows them to blend malicious activity with legitimate traffic and avoid detection.
Impact
Unexpected outbound FTP traffic may indicate ongoing communication with a command and control (C2) server or an attempt to exfiltrate data. This can result in the loss of sensitive data, intellectual property theft, or compliance violations.
Severity
Severity | Condition |
---|---|
Medium | Suspicious outbound FTP traffic |
Investigation and Remediation
Investigate the source and destination of FTP traffic and verify whether it's authorized. Review logs to identify transferred files. If traffic is determined to be unauthorized, block it and isolate affected systems. Determine the extent of data loss and potential system compromise. To prevent future incidents, implement strict firewall rules to control outbound FTP traffic.
Known False Positives
- Legitimate file transfers by employees or automated systems using FTP
- Backup processes using FTP to transfer data to offsite storage
- Developers using FTP for version control or code deployment
- Scheduled data synchronization between systems using FTP