Back to Notes
Security February 04, 2026

Network Forensics: Tracing Advanced Persistent Threats

10 min read Written by Muhammad Fajar Nugroho

The Anatomy of an APT Breach

Advanced Persistent Threats (APTs) are rarely smash-and-grab operations. They are highly sophisticated, glacially slow, and specifically designed to evade detection for months. Understanding their acoustic footprint on the network is crucial for effective containment and eradication.

In this write-up, I detail a recent forensic engagement where we isolated and neutralized a highly customized APT exfiltration vector.

Phase 1: Anomaly Detection and Triage

APTs often implant via highly targeted spear-phishing or zero-day exploitation. The initial Indicator of Compromise (IoC) is rarely an alarm—it’s usually a whisper. In this incident, a SIEM alert flagged a slightly irregular DNS request volume at 3:00 AM from a segmented subnet.

We immediately isolated the network logs, hunting specifically for:

  • Beaconing Activity: Rhythmic, low-bandwidth outbound connections (heartbeats) indicating Command and Control (C2) communication.
  • Lateral Movement Footprints: Unusual SMB, WinRM, or RDP traffic bridging internal hosts that possess no operational reason to communicate.

Phase 2: Deep Packet Inspection (DPI) & PCAP Analysis

Once a suspicious IP or protocol is identified, the investigation pivots to raw PCAP (Packet Capture) analysis using tools like Wireshark and Zeek. APTs frequently obfuscate their traffic by wrapping custom encryption protocols inside standard port 443 (HTTPS) or DNS queries (DNS Tunneling).

During our DPI inspection, we identified the following:

# Zeek notice log extract showing unusual protocol utilization
1618349211.123456  Notice::Weird  10.0.5.55  192.168.1.100  443  SSL_in_cleartext

We found mismatched protocol headers: SSH traffic was being deliberately disguised as HTTP data to bypass standard L7 firewall egress filtering.

Phase 3: EDR Correlation & The “Ping Tunnel” Exfiltration

Network logs only reveal the wire. We correlated the network anomalies with CrowdStrike EDR telemetry. The specific workstation exhibiting beaconing behavior mapped the network socket directly back to a disguised svchost.exe process injected with malicious shellcode.

The Breakthrough: The attacker had bypassed the standard DLP (Data Loss Prevention) sensors by chunking high-value intellectual property into tiny, encrypted hex payloads and embedding them within benign ICMP (ping) echo requests. This “ping tunneling” was mathematically analyzed and disrupted before any significant data loss materialized.

Fortification

Post-incident remediation required disabling local administrator privileges, adopting stricter egress filtering rules that block anomalous outbound ICMP traffic, and shifting to a Zero-Trust internal posture.