CySA+ Study Notes 4 Flashcards
??? refers to deep-down frame-by-frame scrutiny of captured frames using a tool such as Wireshark. You can use packet analysis to detect whether packets passing over a standard port have been manipulated in some nonstandard way, to work as a beaconing mechanism for a C&C server for instance. You can inspect protocol payloads to try to identify data exfiltration attempts or attempts to contact suspicious domains and URLs.
Packet Analysis
One use case for packet analysis is to identify and extract binary file data being sent over the network. A network file-carving tool, such as NetworkMiner, can reconstruct the correct byte order (in case packets were transmitted out of sequence), strip the protocol information, and save the resulting data to a file.
info
Packet analysis means looking in detail at the header fields and payloads of selected frames within a packet capture. Protocol analysis means using statistical tools to analyze a sequence of packets, or packet trace.
info
A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. Network traffic and flow data may come from a wide variety of sources (or probes), such as switches, routers, firewalls, web proxies, etc …
info
??? (1) Highlighting of trends and patterns in traffic generated by particular applications, hosts, and ports. (2) Alerting based on detection of anomalies, flow analysis patterns, and custom triggers that you can define. (3) Visualization tools that enable you to quickly create a map of network connections and interpret patterns of traffic and flow data. (4) Identification of traffic patterns revealing rogue user behavior, malware in transit, tunneling, applications exceeding their allocated bandwidth, etc …
Flow Analysis can show :
??? The networking protocol interface used, The version and type of IP used, The source and destination IP addresses, The source and destination User Datagram Protocol (UDP)/Transmission Control Protocol (TCP) port, The IP’s type of service (ToS) used.
NetFlow Can show info of :
??? operates as a passive network monitor, reading packets from a network tap or mirror port in the same way as a sniffer. Is configured to log only data of interest reducing storage and processing and performs normalization of data stored in JSON text files.
Zeek (Bro)
??? creates graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP). Open-Source.
MRTG
??? DGA can be combined with techniques to continually change the IP address that a domain name resolves to.
*** ARP spoofing attack, where different IP addresses are advertised for the same MAC address.
Fast Flux
An HTTP session starts with a client (a user-agent, such as a web browser) making a request to an HTTP server. The connection establishes a TCP connection. This TCP connection can be used for multiple requests, or a client can start new TCP connections for different requests. A request typically comprises a method, a resource (such as a URL path), version number, headers, and body. The principal method is GET, used to retrieve a resource. Also has : POST—Send data to the server for processing by the requested resource. PUT—Create or replace the resource. DELETE can be used to remove the resource. HEAD—Retrieve the headers for a resource only (not the body).
info
