Almost all malicious activity involves a network component in one way or another. Malicious network activity can come at different points in an attack timeline. You can have malicious network activity both before and after an infection. Here are some prerequisites needed to understand this chapter. The reader should have a basic idea of networking and protocols. Some of the concepts should include layers of the OSI and TCP/IP networking protocols. The reader should know about the layers in a TCP/IP model as it will be referred to sometimes in this section.

Malicious network traffic can be both inbound as well as outbound to the network. If the network traffic is directed to and from other computers within the network we term it as lateral movement. We talked about malware attacks using spam emails, exploit kits, as well as other attack vectors in Chapter 4, Ransomware techniques of hijacking the system.

When the infection happens and you are compromised by malware, the malware tries to communicate to its C&C server to receive commands. The malware can send user credentials and other information to its server in a particular format in which the C&C server can understand. So in this case, it is outbound traffic.

There are several kinds of software created to prevent an attack in all possible ways. Firewalls, IDSes, IPSes, and sandboxes are well-known detection and prevention systems. We will talk about all these in the upcoming sections.