outbound_ftp_traffic
Explanation
This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft.
What to Look For
To remediate potential issues with outbound FTP traffic, examine network traffic for unencrypted connections on TCP ports 20 & 21. Check FTP logs for suspicious activity, such as transfers to unauthorized destinations or user credentials being transmitted in cleartext. Configure endpoints and servers to use secure FTP protocols such as SFTP or FTPS to ensure encrypted transfers, and consider blocking TCP ports 20 & 21.
Related MITRE ATT&CK Categories
Updated 20 days ago