undefined | Better HN

0 pointsnetsharc2y ago0 comments

Yeah but a socket connection to an IRC server and port will probably trigger a network monitoring firewall that a computer in the network has been compromised... A connection to arstechnica.com, the IT admin might even think "Cool, I didn't know that Bob from accounting is into tech..."

0 comments

4 comments · 1 top-level

willcipriano2y ago· 3 in thread

Corporate firewalls throw so many alerts that it's unlikely that a human even sees it let alone looks into it.

jcrawfordor2y ago

Most corporate SOCs would probably investigate IRC connections at least briefly, they have a very high signal to noise ratio for compromised devices. Modern security devices do generate a tremendous amount of information, but the security operations industry as a whole and SIEMs in particular were developed to make it feasible to risk score and triage these findings.

willcipriano2y ago

This is quite the opposite of all my personal experience.

jdietrich2y ago

A well-configured corporate firewall is going to block anything that looks like an IRC packet, because for the overwhelming majority of users, the probability of that packet being malicious is ~1.

j / k navigate · click thread line to collapse