outbound_ftp_traffic

Suggest Edits

Explanation

This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft.

What to Look For

To remediate potential issues with outbound FTP traffic, examine network traffic for unencrypted connections on TCP ports 20 & 21. Check FTP logs for suspicious activity, such as transfers to unauthorized destinations or user credentials being transmitted in cleartext. Configure endpoints and servers to use secure FTP protocols such as SFTP or FTPS to ensure encrypted transfers, and consider blocking TCP ports 20 & 21.

Related MITRE ATT&CK Categories

Exfiltration Over Alternative Protocol, Techniques T1048

Updated 13 days ago