Well if you are uploading GBs upon Gbs, maybe even TBs to malicioussomething.com or google.com, you know something's up. That's the first indicator. Next is to track what processes are responsible for the connection and go from there.
I tried an app like this on my phone to see what sort of data I was leaking. I open Facebook and 5 vaguely Facebook domains and a few IPs are getting small amounts of data. Other apps phone home in ways I expect. Sometimes it'll go to a third party. There's not a lot of low hanging fruit sending GB or TB. If they're sending juicy stuff, they're not blatent about it.
But maybe I need to monitor at the network level and not device level. I just haven't found utility in these yet
I mean it depends on what you are looking for. If you are afraid that someone is exfiltrating large amounts of data to unknown destinations, then looking at amount of data being transferred is a good idea. But if someone hacks your phone or computer and the attacker is only looking for a PDF document, then the total size of the transfer will probably not help you. In this case, you want to monitor all destinations to make sure they are not malicious. But if you are really paranoid you need to be able to view all HTTPS traffic so you can verify that certain documents are not being exfiltrated.
In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
cobertos|1 year ago
But maybe I need to monitor at the network level and not device level. I just haven't found utility in these yet
distracted_boy|1 year ago
In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
echoangle|1 year ago