Recognizing Suspicious Network Connections with Python

Endpoint protection solutions tend to focus on system indicators and known malicious code to defend both enterprise and Small Office-Home Office (SOHO) users. In the absence of a Security Operations Center (SOC) or paid antivirus services, there are few proactive defense options for hobbyists and SOHO owners. A significant problem is how advanced persistent threat (APT) actors' Tactics, Techniques, and Procedures (TTPs) have changed over the years; it is common for advanced actors to exploit poorly defended subcontractors and seemingly less relevant targets. This brings the Small Office-Home Office into the picture as a pivotal defense point against advanced attackers. This research intends to focus on attackers using Shell, terminal, or Remote Access Tool (RAT) connections to SOHO endpoints. This research seeks to block interactive connections with system-level network logging and blacklist automation. This method will recognize malicious connections and automatically block them in near real-time.