Traffic Analysis

Question 1

Network Analyst

Answer 1

Cyber operator whose main focus is infrastructure devices & netflow. Responsible for handling cyber incidents, network security

Question 2

What are the benefits of a network analyst?

Answer 2

In depth knowledge of common network protocols, packet formats, & infrastructure security vulnerabilities

Question 3

Network Baseline

Answer 3

Defines what is normal for enterprise netflow and ports, protocols & services used at a predetermined level

Question 4

What are the benefits of a network baseline?

Answer 4

• Allows for anomalous or abnormal condition detection through comparison (compares current baseline to original)
• Allows for rapid deployment of new networks

Question 5

Cyber Threat Intelligence (CTI)

Answer 5

Knowledge about adversaries

Question 6

What are the benefits of Cyber Threat Intelligence (CTI)?

Answer 6

• Framework for indicators of compromise (IoC) for actionable hunting
• Enables organizations to deploy measures to detect, mitigate, & possibly prevent attacks as they occur

Question 7

Network Artifacts

Answer 7

Piece of network traffic data that may be relevant to an investigated response

Question 8

What are the benefits of network artifacts?

Answer 8

• Helps with developing network and host signatures
• Feeds CTI to triage incidents sooner

Question 9

What are some things that could be network artifacts?

Answer 9

Logs (router, switch, firewall, DNS, web proxy, etc), files/directories (names, timestamps, sizes, hashes), registry keys

Question 10

Network Triage

Answer 10

A process for sorting network violations into groups based on need for or likely benefit from immediate attention

Question 11

What is the benefit of network triage?

Answer 11

Helps the network analyst & the unit prioritize important systems to prevent mission failure

Question 12

Sandbox

Answer 12

Highly controlled environment used to test unverified programs or malicious software

Question 13

What are the benefits of sandboxes?

Answer 13

Safely examine suspicious files

Question 14

Intrusion Detection System

Answer 14

Device or software application that passively monitors a network or systems for malicious activity or policy violations; “Man-on-the-Side”

Question 15

What are the benefits of intrusion detection systems?

Answer 15

• Easier to deploy because it doesn’t affect existing system or infrastructure
• Detects network based attacks by checking packet headers
• Retains evidence for network analysts when set up to log data

Question 16

Intrusion Prevention System

Answer 16

Preemptive network security approach that uses techniques to detect and block possible intrusion attempts into a network

Question 17

What are the benefits of intrusion prevention systems?

Answer 17

• Able to take defensive actions rather than just alerting on a possible attack
• Retains evidence for network analysts when set up to log data

Question 18

Security Info & Event Management (SIEM)

Answer 18

A group of technologies that together provide a bird’s eye view of the network

Question 19

What are the benefits of SIEMs?

Answer 19

• Aggregates relevant data from multiple data sources to identify deviations from the norm & and allow an analyst to take appropriate actions
• Able to ingest data from virtually any product vendor

Question 20

What is the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?

Answer 20

An IDS passively monitors while an IPS actively tries to prevent possible intrusions

Question 21

Full Packet Capture

Answer 21

File containing original packet data as seen at collection point (*.pcap, *.pcapng, *.cap, *.dmp)

Question 22

What are the benefits of Full Packet Capture?

Answer 22

• Holy grail of network data collection
• Countless tools give the analyst many approaches to examine them

Question 23

What are the drawbacks of Full Packet Capture?

Answer 23

• Files can grow extremely large
• Legal constraints often limit availability of this data
• Encrypted communications are increasingly used

Question 24

NetFlow

Answer 24

• Record containing a summary of network communication as seen at the collection point
• Contains no content
• Extremely helpful for quick network triage

Question 25

What are the benefits of NetFlow?

Answer 25

• Requires less storage than full packet capture
• Analysis processes are much faster
• Generally fewer privacy concerns
• Analysis processes apply equally to all protocols (encrypted/plain text, custom or standard)

Question 26

What are the drawbacks of NetFlow?

Answer 26

• Without content low level analysis & analysis may not be possible
• Many collection platforms are unique and require training and/or license to use

Question 27

Log Files

Answer 27

• Most widely used source data for network & endpoint investigations
• Contains application or platform centric items of use to characterize activities handled or observed by the log creator

Question 28

What are the benefits of log files?

Answer 28

• Collected & retained for industry operation purposes, logs are widely available and processes often in place to analyze them
• Raw log data can be aggregated for centralized analysis

Question 29

What are the drawbacks of log files?

Answer 29

• Log data contains varying levels of detail in numerous formats
• Often requires parsing & enrichment to add context or additional data to corroborate findings
• If log data is not already aggregated finding it can involve significant time & effort before analysis can begin

Question 30

What is a port mirror?

Answer 30

It’s a software tap that duplicates packets sent to or from a designated switch port to another switch port (sometimes called a SPAN (Switch Port Analyzer) port)

Question 31

What are the benefits of port mirroring?

Answer 31

• Activating a port mirror usually just requires a configuration change, usually avoiding downtime
• Switches are everywhere so it maximizes flexibility of capture/observation platform placement

Question 32

What are some drawbacks of port mirroring?

Answer 32

• Data loss is possible with high traffic networks
• Bandwidth is limited by half duplex speed

Question 33

What are the benefits of collecting network traffic from a router?

Answer 33

• Provides Netflow export functionality
• Just requires a configuration change with limited downtime
• Netflow is normally already collected so adding additional exporters is usually not hard

Question 34

What are some drawbacks of collecting from a router?

Answer 34

Generally does not provide the ability to perform full packet capture

Question 35

What layer 7 devices can perform data collection for network analysis?

Answer 35

Any platform with control of or purview over a network link can provide valuable logging data regarding the communications that pass through it

Question 36

What can layer 7 endpoints be configured to capture?

Answer 36

Generate full-packet capture data or export Netflow

Question 37

What are the benefits of collecting from a layer 7 device?

Answer 37

Many perspectives on the same incident may yield multiple useful data points about an incident

Question 38

What are the drawbacks of collecting from a layer 7 device?

Answer 38

• Log data may include numerous formats & varying level of details in their content
• May require labor intensive parsing & analysis to ID the useful details
• Platforms that create the logs are often scattered
• Requires sound log aggregation plan & platform

Question 39

Tap

Answer 39

Hardware device that provides duplicated packet data streams that can be sent to a capture or observation platform

Question 40

What is an aggregating tap?

Answer 40

It merges both directions of network traffic to a single stream of data on a single port

Question 41

What is a regenerating tap?

Answer 41

It provides the duplicated data streams to multiple physical ports

Question 42

What are the benefits of a network tap?

Answer 42

• Hardware device designed specifically for network traffic capture, engineered for performance and reliability
• Most taps will continue to pass monitored traffic even without power

Question 43

What are the drawbacks of a network tap?

Answer 43

• Expensive
• Downtime during installation

Question 44

Workflows

Answer 44

• Most common and beneficial tasks can generally be placed in a workflow
• Categories are not generally iterative
• Dynamic process that adapts to adversaries actions (no single workflow can be used to address every scenario)

Question 45

Establish Baselines

Answer 45

A workflow with the goal of identifying normal patterns of behavior to help identify abnormal behavior
- Ideally the first step (can be made before, during or after)
- Determine cycles based on time and date
- Determine typical cycles of traffic (top talking hosts, ports/protocols, GET vs POST activity for http)

Question 46

Ingest & Distill

Answer 46

A workflow with the goal of preparing for analysis & deriving data that will more easily facilitate the rest of the analytic workflow
- Log source data according to local procedures
- If pcap files are available distill to other data sources types
- Considering splitting data into time-based chunks
- Load source data to large scale analytic platforms

Question 47

Reduce and Filter

Answer 47

A workflow with the goal of reducing large amounts of input data down to a smaller volume allowing analysis with a wider range of tools
- Reduce using known indicators and data points (IP addresses, ports/protocols, time frames, volume calculation, domain names, hostname, etc)
- For large scale analytic platforms, build filters to reduce visible data to traffic involving known indicators

Question 48

Analyze & Explore

Answer 48

A workflow with the goal of identifying traffic and artifacts that support investigative goals and hypothesis
- Look into reduced data set for suspicious traffic (may include evaluating traffic contents , context, anomalies, consistencies, anything that helps
- Use any baselines for identifying deviations

Question 49

Extract Indicators & Objects

Answer 49

A workflow with the goal of finding artifacts that help identify malicious activity, including field values, byte sequences, files or other objects
- As additional artifacts are ID’d, maintain on ongoing collection of these data points for further use during and after the investigation (includes direct observations or ancillary observations)
- Protect data according to local policies and share in accordance with operational security constraints

Question 50

Scope and Scale

Answer 50

A workflow with the goal of searching more broadly within source data for behavior that matches known indicators
- After IDing useful artifacts that define activity of interest, scale up the search using large scale analytic platforms & tools
- ID additional endpoints that exhibit the suspicious behavior, aiming to fully scope the incident within the environment
- Pass appropriate indicators to security operations for live ID of suspicious activity

Question 51

What are the network based processing workflows?

Answer 51

• Establish baselines
• Ingest & distill
• Reduce & filter
• Analyze & explore
• Extract indicators & objects
• Scope & scale

Question 52

Wireshark

Answer 52

Deep, protocol aware packet exploration & analysis tool (open source)

Question 53

TCPDump

Answer 53

Logs and/or parses network traffic (used to dump live network traffic to pcap files)

Question 54

How does TCPDump work?

Answer 54

It reduces data by reading from existing pcap files, applying a targeted filter, and writing the reduced data to a new pcap file

Question 55

Bro NSM

Answer 55

Creates log files as needed to document observed network traffic, uses “bro-cut” utility to extract specific fields from Bro logs

Question 56

Snort/Suricata

Answer 56

Capable of performing real time traffic analysis and packet logging on IP networks
- Performs protocol analysis, content searching and matching, and detects a variety of attacks and probes using signatures
- May be used as an Intrusion Detection System or an Intrusion Prevention System

Question 57

NetworkMiner

Answer 57

Protocol aware object extraction tool that writes files to disk
- Performs tedious object extraction
- May trigger host based defenses when files written to disk (use in isolated system)
- Network data fields can be exported to CSV

Question 58

How are TCP connections initialized?

Answer 58

A three way handshake (SYN, SYN/ACK, ACK)

Question 59

Port Scanning

Answer 59

Sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communication system

Question 60

How difficult to detect is port scanning?

Answer 60

It’s easy. The technique is an expected voluminous activity on the internet. Active scanning typically generates benign traffic with no defense to execute (high volume makes it burdensome for defenders to chase so often ignored)

Question 61

What is the standard TTL for IP messages generated on a *nix system?

Answer 61

64

Question 62

What is the standard TTL for IP messages generated on a Windows system?

Answer 62

128

Question 63

What is the standard TTL for IP messages generated on a Solaris/AIX system?

Answer 63

254

Question 64

What is the standard TTL for IP messages generated on a network?

Answer 64

255

Question 65

User-Agent String

Answer 65

Part of network traffic that contains information about a browser’s identity, provided by client, may include platform token

Question 66

Platform Token

Answer 66

Describes the client operating system

Question 67

In Wireshark what types of data streams are you able to follow?

Answer 67

UDP, TCP, SSL, HTTP