Findings
Average Response Payload Size Elevated
Updated: July 4, 2025
Description
The average response payload size has increased during the current observation period.
Although payloads for individual request may change and vary between endpoints, the overall average size of payloads for an application shouold be fairly stable. Fluctuations in the payload size may be an indicatior of higher than normal usage, changed usage patterns, changed data content, etc. Any of these can be indicators for malicous behaviour.
Example Attack
An attacker may have completely abnormal usage pattern, such as only using a single list endpoint to exfiltrate data and hitting that endpoint much mor efrequently than a normal user would. The proportionally higher number of these requests will affect the average payload size for the whole service.
Remediation
Investigate what has caused the response payloads sent to this API to increase significantly in size.
Security Frameworks
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.