Module 2: Network monitoring and analysis

Welcome back! I’m so
glad you’re joining us. Previously, you
were introduced to incident detection and response. You may also remember
learning about networking from a
previous course. To recap, you learned about how devices talk to each other using network protocols and the different types
of network attacks. You also examined some network
security best practices. Here, we’ll expand
on networking and shift our focus to
network analysis. First, you’ll examine network communications by exploring network traffic flows. Next, you’ll learn
about viewing and capturing network traffic
using packet sniffers. Then, you’ll be introduced
to packet analysis, where you’ll examine
packet fields and decode communication between
devices and networks. As a security professional, you’ll be tasked with
monitoring networks and system infrastructure to
detect malicious activities. And this section will provide
you with the opportunity to develop your network and
packet analysis skills. Are you ready to begin?
Let’s get started!

Hi, my name is Casey
and I’m part of the Google Cloud Enterprise
Security sales team. First of all, the biggest piece of advice I can give is: do it. I want you to be here. We need all the people. It’s a non-stop, ever-changing world
in cybersecurity, which is why it’s such
a fun place to be. We need more diversity
in security. We need everybody participating. We need people with
diversity of thought, diversity of backgrounds,
diversity of perspectives. I think some of the most
important soft skills in cybersecurity are, number 1, being able to clearly summarize what you’re trying
to say, massively important. One of the other
soft skills that I think could even be more important than
clear communication is working with an open mindset. The threat landscape is
continuously changing. The threat actors,
the bad actors, they never sleep,
and so neither can we. One of the things that
makes cybersecurity so fun, in my opinion, is because
it changes constantly. And if we have a fixed
mindset going in, and what I mean by
a fixed mindset is, I think I know the
answer to this, I think I understand
exactly what’s going on, we are absolutely going
to miss the boat. We need to be able to
always stay curious. And from a cybersecurity
point of view, it’s very important to
leave no stone unturned. One of the best things about soft skills is that we all have them and we’re already using
them every single day. So every one of you that’s watching this already has a head
start in cybersecurity.

Imagine a bustling city with a vibrant network of rivers and canals. Just as these waterways carry the lifeblood of commerce and communication, your network’s traffic flows carry the lifeblood of your digital world. In the realm of cybersecurity, understanding and analyzing these flows is not just valuable; it’s essential. This tutorial unlocks the secrets of network traffic analysis (NTA), revealing its immense importance in protecting your digital domain.

I. Unpacking the Importance:

• Early Threat Detection: NTA acts as a vigilant sentinel, constantly monitoring the ebb and flow of data to identify suspicious patterns. Think of it as a net that snags unusual fish before they can disrupt the river’s ecosystem.
• Combating Data Exfiltration: Malicious actors often lurk in the shadows, siphoning sensitive data through hidden channels. NTA sheds light on these clandestine operations, revealing unauthorized data transmissions before they cause irreparable harm.
• Understanding Network Behavior: Just like we learn about an unfamiliar city by observing its traffic patterns, NTA helps us understand the normal flow of data within our network. This baseline is crucial for identifying sudden surges, anomalies, and deviations that might signal threats.
• Forensics and Incident Response: When an attack occurs, tracing the footprints of the attackers is vital. NTA provides a detailed map of the data movements preceding and during the incident, aiding in forensics investigations and swift response measures.
• Optimizing Network Performance: NTA isn’t just about security; it also sheds light on network inefficiencies. By analyzing traffic patterns, we can identify bottlenecks, optimize resource allocation, and ensure smooth data flow for critical operations.

II. Diving Deeper: Techniques and Tools

• Flow analysis: Tracks aggregated data packets without delving into individual content, providing a high-level overview of traffic patterns.
• Deep packet inspection: Analyzes the actual content of data packets, enabling deeper insights into applications, protocols, and potential threats.
• Statistical analysis: Identifies anomalies by comparing current traffic patterns to historical baselines, highlighting deviations that might signal malicious activity.
• Machine learning: Leverages powerful algorithms to detect subtle patterns and potential threats that might escape traditional rules-based analysis.

III. Choosing the Right Tools for the Flow:

• Network size and complexity: Consider the volume and type of traffic your network handles to choose tools with the appropriate processing power and analytical capabilities.
• Budget and resources: NTA solutions range in cost and complexity; choose one that aligns with your financial and technical resources.
• Detection capabilities: Select tools with techniques suited to your specific threat landscape and desired level of granularity.
• Integration capabilities: Ensure the chosen solution seamlessly integrates with your existing security infrastructure for comprehensive threat detection and response.

IV. Mastering the Currents: Continuous Improvement

• Update rules and signatures: Stay ahead of evolving threats by regularly updating detection patterns and algorithms.
• Refine baselines and thresholds: As network usage changes, continuously adjust baselines and thresholds to avoid false positives and missed threats.
• Analyze past incidents: Learn from past attacks to improve future detection capabilities and refine your overall security posture.

V. Conclusion: Embracing the Power of NTA

By harnessing the power of network traffic analysis, you transform your digital domain from a vulnerable ocean into a well-charted river, navigated with confidence and protected from unseen dangers. Remember, NTA is not a silver bullet, but a vital tool in your cybersecurity arsenal. Embrace its power, analyze the currents, and watch as your network flows with the assurance of unwavering security.

So, captain your digital vessel, unfurl the sails of understanding, and navigate the digital rivers with the wisdom of network traffic analysis. May your data journey be ever secure and your digital domain forever protected!

In many organizations, network
communication travels over multiple networks in different countries and
across different devices. Data can get unintentionally sent and
stored in insecure places, like personal email inboxes or
cloud storage platforms. Users trust that their data is safely and
securely sent and stored. And it’s the job of security professionals
like you to help protect these communications in transit and at rest. Previously, you may recall learning how
to identify and secure critical assets through security controls like data
classification and encryption. Coming up, we’ll expand on this topic and
examine how network traffic analysis can be used to monitor network activity and
identify potential malicious activity. So what is network traffic? Network traffic is the amount of
data that moves across a network. While network data is the data that’s
transmitted between devices on a network. Depending on the size of a network, there can be a huge volume of
network traffic at any given moment. For example, in a large,
multinational organization, there may be thousands of employees sending and
receiving emails at any given time. That’s a lot of network traffic. With such large volumes of
traffic being produced, how do you know what’s normal behavior,
or what’s unusual and requires investigation as
a potential security incident? Imagine being stuck in unexpected traffic
during your regular drive to work. And, as you move along, you realize
something unusual caused the traffic, like a minor vehicle collision which
slowed down the expected flow. On the road, we have certain expectations about traffic
flows based on our commuting experience. Peak traffic patterns like morning and
evening rush are normal and expected, while abnormal traffic during
off-peak times reveals that something unexpected has happened,
like a vehicle collision. Network traffic works in the same way. By understanding how data should
be flowing across the network, you can develop an understanding
of expected network traffic flow. By knowing what’s normal,
you can easily spot what’s abnormal. We can detect traffic abnormalities
through observation to spot indicators of compromise, also known as IoC,
which are observable evidence that suggests signs of a potential
security incident. Take, for instance, data exfiltration, which is the unauthorized
transmission of data from a system. Attackers use data exfiltration to
steal or leak data such as user names, passwords, or intellectual property. By observing network traffic, we can
determine if there’s any indicators of compromise, such as large volumes
of outbound traffic leaving a host. This is a sign of possible
data exfiltration which can be further investigated. Understanding and
monitoring network traffic for inconsistencies is an important aspect
of a security professional’s job. Coming up, we’ll explore what a data exfiltration
attack looks like in real-time. Meet you there.

Imagine your digital domain – a treasure trove of confidential data. In the shadows, lurks a cunning thief, seeking to pilfer your precious information. This thief is a data exfiltration attacker, and their weapon of choice is stealth. This tutorial equips you with the knowledge and tools to outsmart these digital bandits and keep your data safe.

I. The Hunt Begins: Understanding Data Exfiltration

• What is it? Data exfiltration is the unauthorized transfer of sensitive data outside an organization’s network. Think of it as the thief slipping out with your jewels hidden under their cloak.
• Why do they do it? Attackers exfiltrate data for various reasons, from financial gain (selling stolen data) to espionage (gaining a competitive edge).
• How do they get in? The doorway for exfiltration can be a phishing email, a malware infection, or even a compromised employee account.

II. Following the Trail: The Attacker’s Journey

• Initial Access: The attacker gains a foothold in your network, like picking a lock on your vault.
• Lateral Movement: They slither through your system, searching for the hidden riches (sensitive data).
• Data Exfiltration: The attacker packages the loot, compressing or disguising it to avoid detection, like a thief shrinking down to squeeze through a ventilation shaft.
• Escape Through the Backdoor: Finally, the attacker transmits the stolen data out of your network, like sending the jewels through a secret tunnel.

III. Building the Wall: Defending Against Data Exfiltration

• Fortress of Awareness: Train employees to spot phishing attempts and social engineering schemes that grant attackers access.
• Cyber Defenders Patrol: Implement network monitoring tools to identify suspicious activity like unusual data transfers.
• Securing the Jewels: Encrypt sensitive data and restrict access to authorized personnel.
• Building High Walls and Watchtowers: Utilize firewalls and intrusion detection systems to block unauthorized access attempts.
• Constant Vigilance: Regularly update security software and patch vulnerabilities to keep your defenses strong.

IV. Tracking the Footprints: Detecting and Responding to Exfiltration

• Unusual Traffic Patterns: Large data uploads or downloads outside business hours might signal exfiltration.
• Unfamiliar Destinations: Data sent to unknown IPs or suspicious domains could be a red flag.
• Alerts from Your Sentinels: SIEM tools can analyze network activity and trigger alerts for suspicious behavior.
• Swift Response: Upon detection, isolate the infected system, block the attacker’s IP, and investigate further.
• Learning from the Breach: Analyze the incident, identify vulnerabilities, and update your defenses to prevent future attacks.

V. Conclusion: Securing Your Digital Legacy

Data exfiltration can be a daunting threat, but with knowledge and vigilance, you can become the master of your digital domain. By understanding the attacker’s tactics, implementing robust defenses, and responding swiftly to threats, you can ensure your data remains safe and secure, forever protected from the clutches of digital thieves.

Remember, cybersecurity is a constant journey, not a destination. Stay informed, adapt your defenses, and keep a watchful eye on your digital horizon. With commitment and awareness, you can transform your network from a vulnerable vault into an impregnable fortress, safeguarding your data for generations to come.

So, sharpen your wits, deploy your digital guard dogs, and embark on this adventure of keeping your information safe. May your data forever remain secure, and your digital kingdom forever stand strong against the forces of cyberthievery!

Monitoring network traffic helps security
professionals detect, prevent, and respond
to attacks. In my experience as a
security professional, monitoring for deviations from typical network traffic patterns
has yielded big results. Even if information
is encrypted, monitoring network
traffic is still important for security purposes. Let’s discuss how the
detection and response process might work in a
data exfiltration attack. First, we’ll outline the
attacker’s perspective. Before attackers can
perform data exfiltration, they’ll need to
gain initial access into a network and
computer system. This can be done
through a social engineering attack
like phishing, which tricks people into
disclosing sensitive data. Attackers can send phishing
emails with attachments or links that trick their target into entering their credentials. Now, an attacker has successfully gained
access to their device. After gaining their
initial position into the system, an attacker
won’t stop there. The goal for attackers
is to maintain access in the environment and avoid being detected for as
long as possible. To do this, they’ll perform a tactic known as lateral
movement, or pivoting. This is when they’ll spend time exploring the network
with the goal of expanding and
maintaining their access to other systems on the network. As an attacker pivots
in the network, they’ll scope out
the environment to identify valuable assets, such as sensitive data
like proprietary code, personally identifiable
information like names and addresses,
or financial records. They’ll do this by searching locations such as
network file shares, intranet sites, code
repositories, and more. After the attacker identifies
the assets of value, they’ll need to
collect, package, and prepare the data for
exfiltration outside of the organization’s network and
into the attacker’s hands. One way they may do this is
by reducing the data size. This helps attackers hide the stolen data and
bypass security controls. Finally, the attacker
will exfiltrate the data to their
destination of choice. There are many ways to
do this. For example, attackers can email
the stolen data to themselves using the
compromised email account. Now that you’ve tapped into
the attacker’s perspective, let’s explore how organizations can defend against
this type of attack. First, security teams must
prevent attacker access. There are many methods
you can use to protect your network
from phishing attempts. For example, requiring users to use multi-factor
authentication. Attackers that gain
access to a network can remain unnoticed
for a while. It’s important that
security teams monitor network activity to identify any suspicious activity that can indicate a compromise. For example, multiple
user logins coming from IP addresses outside of the network should
be investigated. Earlier, you examined how
to identify, classify, and protect assets using asset inventories and
security controls. As part of an organization’s
security policy, all assets should be cataloged
in an asset inventory. The appropriate security
controls should also be applied to protect these assets
from unauthorized access. Lastly, if a data exfiltration
attack is successful, security teams must detect
and stop the exfiltration. To detect the attack, indicators of unusual
data collection can be identified through
network monitoring. These include: large
internal file transfers, large external uploads, and unexpected file writes. SIEM tools can detect an
alert on these activities. Once an alert has been sent out, security teams investigate and stop the attack from continuing. There are many ways to
stop an attack like this. For instance, once the unusual
activity is identified, you can block the IP addresses associated with the attacker
using firewall rules. Data exfiltration
attacks are just one of many attacks that can be detected through
network monitoring. Coming up, you’ll learn
how to monitor and analyze network communications
using packet sniffers.

Welcome to the world of packets and packet captures, a fundamental domain in cybersecurity! Understanding how data travels across networks and the ability to capture and analyze those packets is crucial for various security tasks, including:

• Network troubleshooting: Identify issues like slow speeds, connectivity problems, and malware infections.
• Security incident investigation: Analyze suspicious network activity to identify intrusions, data breaches, and attacker techniques.
• Threat hunting: Proactively search for vulnerabilities and potential threats by monitoring network traffic.
• Vulnerability assessment: Test network security controls and identify weaknesses that attackers might exploit.

What are Packets?

Imagine information traveling across the internet like letters sent through the mail. Each letter is an individual packet, containing a specific piece of data (the content) and addressing information (sender and recipient). Packets travel through networks in layers, following protocols like TCP/IP to ensure orderly delivery.

Here’s the anatomy of a typical packet:

What is Packet Capture?

Packet capture refers to the process of intercepting and recording these data packets as they travel through a network. It’s like eavesdropping on a conversation happening on a phone line, but instead of voices, you’re capturing digital data.

Tools for Packet Capture:

Several tools can capture network traffic, each with its strengths and weaknesses. Some popular options include:

• Wireshark: A free and open-source network traffic analyzer widely used for its user-friendly interface and powerful filtering capabilities.
• tcpdump: A command-line tool favored by experienced users for its flexibility and efficiency.
• Tshark: A command-line tool from the Wireshark suite offering advanced filtering and analysis options.

Capturing Packets:

The specific steps for capturing packets will vary depending on the tool you choose and your network setup. However, the general process involves:

1. Selecting the network interface: Choose the network adapter where you want to capture traffic (e.g., your Wi-Fi adapter or Ethernet port).
2. Setting capture filters: You can filter the captured packets based on various criteria like IP addresses, protocols, or keywords to focus on specific traffic.
3. Starting the capture: Begin recording the network traffic.
4. Stopping the capture: Once you have enough data, stop the capture and save the results as a file (typically in PCAP format).

Analyzing Packet Captures:

Once you have captured some packets, the real fun begins! Analyzing the captured data involves examining the various fields within each packet to understand what information it contains. Tools like Wireshark provide various features to help you dissect packets, including:

• Packet details: View the source and destination IP addresses, protocols used, packet size, and timestamps.
• Content inspection: Decode the actual data payload within the packet, potentially revealing usernames, passwords, or other sensitive information.
• Filters and coloring: Apply filters to focus on specific types of traffic and use color-coding to highlight important events.

Learning Resources:

To deepen your understanding of packets and packet captures, check out these resources:

• Wireshark Tutorials: https://wiki.wireshark.org/
• NetworkProtocolGuide.org: https://www.oreilly.com/library/view/networking-all-in-one-for/9781118381007/06_9781118381007-bk01ch02.html
• Cybrary’s Packet Capture Fundamentals course: https://www.cybrary.it/course/sniffing

Remember, mastering packet capture takes time and practice. Don’t be discouraged if you don’t understand everything at first. Keep exploring, experiment with different tools and filters, and soon you’ll be dissecting network traffic like a pro!

Which of the following are components of a packet? Select three answers.

Footer, Header, Payload

A packet contains a header, payload, and footer. The header includes information like the type of protocol and port being used. The payload is the actual data being delivered. The footer signifies the end of the packet.

Whether it’s an employee
sending an email or a malicious actor attempting to exfiltrate confidential data, actions that are performed
on a network can be identified through examining
network traffic flows. Understanding these network
communications provides valuable insight
into the activities happening in a network. This way, you can better
understand what’s going on in an environment and defend
against potential threats. With this in mind,
let’s examine how to record network traffic
through packet captures. Previously in the program, you learned that
when data is sent, it’s divided into packets. Just like an addressed
envelope in the mail, packets contain delivery
information which is used to route it
to its destination. This information
includes a sender and receiver’s IP address, the type of packet that’s
being sent, and more. Packets can provide lots
of information about the communications
happening between devices over a network. You may also recall that a packet has
multiple components. There’s the header, which
includes information like the type of network protocol
and port being used. Imagine this as
being the name and mailing address located
on an envelope. Network protocols are a set
of rules that determine the transmission of data
between devices on a network. Ports are non-physical
locations on a computer that organize data transmission between devices on a network. The header also contains the packet’s source and
destination IP address. We’ll explore more information contained in the header
in a later section. Next, there’s the payload, which contains the actual data
that’s being delivered. This is like the content of a letter inside of an envelope. And there’s the footer, which signifies the
end of the packet. So how exactly can you
observe a network packet? Just like scents are invisible
but can be smelled, packets are invisible but can be captured using tools
called packet sniffers. You may remember packet sniffers
from a previous section. A network protocol analyzer,
or packet sniffer, is a tool designed
to capture and analyze data traffic
within a network. As a security analyst, you’ll use packet
sniffers to inspect packets for indicators
of compromise. Through packet sniffing, we can grab
a detailed snapshot of packets that travel over a network in the form
of a packet capture. A packet capture,
or P-cap, is a file containing data
packets intercepted from an interface or network. It’s sort of like intercepting
an envelope in the mail. Packet captures are
incredibly useful during incident investigation. By having access to
the communications happening between
devices over a network, you can observe network
interactions and start to build a storyline to determine
what exactly happened. Coming up, we’ll
discuss the importance of packet analysis.
Meet you there.

The digital world hums with data, flowing like messages in a bustling marketplace. As cybersecurity professionals, understanding these exchanges is key. That’s where packets, the tiny information carriers, and your detective skills come in! This tutorial will equip you to interpret network communications by analyzing these captured packets.

Unpacking the Clues:

• Headers: Think of this as the envelope, revealing vital information like:
  • Source and Destination IP addresses: Who’s talking to whom?
  • Protocol: TCP for reliable connections, UDP for fast but less secure ones.
  • Ports: Think door numbers, directing data to specific applications.
  • Packet type: Is it a data packet, an acknowledgment, or something else?
• Payload: The hidden message – the actual data being sent, encrypted or not. Analyzing it can reveal:
  • URLs and website content: What resources are being accessed?
  • Login credentials: Are sensitive details being transmitted in plain text?
  • File transfers: Who’s sending or receiving what files?
  • Malicious signatures: Can you spot patterns indicative of malware or exploits?

Tools for the Trade:

• Packet Capture Tools: Wireshark, Tshark, tcpdump – capture network traffic flowing through an interface.
• Packet Analyzers: These software programs dissect captured packets, allowing you to filter, search, and visualize the data.

Stepping into the Detective Role:

1. Gather Evidence: Capture network traffic relevant to your investigation or security monitoring.
2. Filter the Clues: Focus on specific protocols, ports, IP addresses, or keywords to zero in on relevant packets.
3. Inspect the Headers: Identify source and destination, protocol used, and potential red flags like unusual ports.
4. Decode the Payload: If unencrypted, analyze the content for sensitive information, suspicious URLs, or malware indicators.
5. Connect the Dots: Piece together the information from multiple packets to understand the bigger picture of the communication.

Remember:

• Context is Key: Don’t jump to conclusions based on individual packets. Consider the bigger network context and user activity.
• Knowledge is Power: Deepen your understanding of network protocols, packet structures, and common threats to interpret effectively.
• Continuous Learning: Stay updated on emerging threats and attack vectors to sharpen your detective skills.

By dissecting packets and piecing together the digital puzzle, you’ll gain invaluable insights into the hidden conversations happening on your network. So, sharpen your observation skills, grab your packet analysis tools, and become a master interpreter of network communications – a true cybersecurity detective!

Bonus Tip: Practice makes perfect! Start with analyzing captured traffic from your own device or controlled environments to familiarize yourself with common communication patterns. Gradually progress to more complex scenarios to hone your analysis skills.

If a packet capture is like
intercepting an envelope in the mail, then packet analysis is like reading
the letter inside of the envelope. Let’s discuss how analyzing
packets can help us interpret and understand network communications. As you may know, networks are noisy. There’s an enormous volume of
communications happening between devices at any given time. And because of this, packet captures
can contain large amounts of network communications, making analysis
challenging and time-consuming. As a security professional, you’ll be
working against the clock to protect networks and
computer systems from potential attacks. You may analyze network evidence in
the form of packet captures to identify indicators of compromise. Having the ability to filter network
traffic using packet sniffers to gather relevant information
is an essential skill to have. For example, let’s say that you were
tasked with analyzing a packet capture to find any indication
of data exfiltration. How would you go about this? Using a network analyzer tool, you can
filter the packet capture to sort packets. This can help you quickly identify an
event associated with data exfiltration, like large amounts of
data leaving a database. There are many other filters you can apply
to packet captures to find the information you need to support
an investigation efficiently. Examples of network analyzer tools
include tcpdump and Wireshark. tcpdump is accessed through a command
line while Wireshark has a graphical user interface, or GUI. Both tools are useful for
security analysts, and soon you’ll have
the opportunity to explore both. Before we begin using these tools,
let’s explore packet fields in detail, specifically, IP headers. Meet you there.

Welcome back, network detectives! We’ve explored the essential fields of an IPv4 header, but now it’s time to dissect them like never before. This is where your cybersecurity instincts truly kick in!

Let’s get granular:

1. Version (4 bits): Not just a simple identifier, versions can reveal vulnerabilities. Older versions like IPv4 might be targeted by attackers due to known security flaws.
2. IHL (4 bits): This seemingly innocent field dictates the header length and presence of optional fields. A longer header could indicate complex routing paths or malicious attempts to obfuscate traffic.
3. ToS (8 bits): Beyond just “priority,” specific bits within ToS represent different service types. Analyzing these can unveil hidden network traffic patterns or Quality of Service (QoS) manipulation attempts.
4. Total Length (16 bits): Not just size, but potential fragmentation clues! Large packet sizes could be indicative of malware downloads or botnet communication.
5. Identification (16 bits): This unique identifier helps reassemble fragmented packets. Look for duplicate IDs or unusual patterns that might suggest packet manipulation or spoofing attacks.
6. Flags (3 bits): These are like traffic signals for your packets! “Don’t Fragment” flag, for example, could point to attempts to bypass security filters that rely on fragmentation analysis.
7. Fragment Offset (13 bits): This tells you where a fragment fits within the original packet. Look for inconsistencies or overlapping offsets that might indicate tampering or denial-of-service attacks.
8. TTL (8 bits): Not just a timer, but a potential red flag! Extremely low TTLs could indicate malicious packets trying to avoid detection by expiring quickly.
9. Protocol (8 bits): This reveals the communication protocol used (e.g., TCP, UDP). Unexpected protocols might signify unauthorized applications or hidden communication channels.
10. Header Checksum (16 bits): This ensures data integrity, but attackers can manipulate it to mask errors or inject malicious code. Be wary of checksum inconsistencies!
11. Source & Destination Address (32 bits each): These are the cornerstones of network communication, but also potential masks for deception. Spoofed IP addresses can hide attacker origins, so scrutinize them closely.
12. Options (variable length): While often unused, these optional fields can carry additional information. Be alert for unusual options that might be used for malicious purposes.

Remember: Analyzing packet headers is not just about understanding basic fields; it’s about piecing together the story they tell. Look for anomalies, inconsistencies, and patterns that deviate from normal network behavior. By honing your analytical skills, you’ll become a master decoder of the hidden language of packets, ready to thwart any cyber threats lurking in the network shadows.

Bonus Tip: Practice makes perfect! Grab your favorite network analyzer tool and start dissecting real-time traffic. The more you analyze, the sharper your eye will become for suspicious activity.

Next up, we’ll explore advanced techniques for dissecting packets and utilizing them for real-world cybersecurity investigations. Stay tuned!

Fill in the blank: The _____ accepts and delivers packets for the network.

Internet Layer

The Internet Layer accepts and delivers packets for the network.

While there are many different
tools available to use, it’s important as a security
analyst that you learn how to read and analyze
packets manually. To do so, let’s examine an important packet
component: IP headers. Previously, you learned about the four layers of
the TCP/IP model. Remember, the TCP/IP model is
a framework that is used to visualize how data is organized and transmitted
across a network. The internet layer accepts and delivers packets
for the network. It’s also the layer where the
Internet Protocol operates as the foundation for all
communications on the internet. It’s responsible for making sure packets reach
their destinations. The Internet Protocol
operates like a mail courier
delivering an envelope. Instead of using the
delivery information found on the envelope, the Internet Protocol
uses the information found in a packet header,
like IP addresses. It then determines the
best available route for packets to take, so that data can be sent
and received between hosts. As you may already know, IP packets contain headers. Headers contain the data
fields essential to the transfer of data to
its intended destination. Different protocols
use different headers. There are two
different versions of the Internet Protocol: IPv4, which is considered to be the foundation of
internet communications, and IPv6, which is the most recent version
of the Internet Protocol. Remember, different protocols
use different headers. So IPv4 and IPv6 headers differ, but they contain similar
fields with different names. IPv4 is still the
most widely used, so we’ll focus on examining
the fields of an IPv4 header. Let’s start with the
Version field, which specifies which version
of IP is being used, either IPv4 or IPv6. Referring back to
our mail analogy, the Version field is like the
different classes of mail, like priority,
express, or regular. Next, IHL stands for
Internet Header Length. This field specifies
the length of the IP header plus any options. The next field, ToS stands
for Type of Service. This field tells us if certain packets should be
treated with different care. For example, think of ToS like a fragile sticker on
a mailed package. Next is the Total Length field, which identifies the length
of the entire packet, including the headers
and the data. This can be compared
to the dimensions and weight of an envelope. The next three fields, Identification, Flags, and Fragment Offset, deal with information
related to fragmentation. Fragmentation is
when an IP packet gets broken up into chunks, which then get transmitted
over the wire and reassembled when they arrive
at their destination. These three fields specify
if fragmentation has been used and how to reassemble the broken packets in
the correct order. This is similar to
how mail can travel through multiple
routes like mailboxes, processing facilities,
airplanes, and mail trucks before it
reaches its destination. The TTL field stands
for Time to Live. Like its name suggests, this field determines how long a packet can live
before it gets dropped. Without this field,
packets could loop through routers endlessly. TTL is similar to how
tracking information provides details about an envelope’s expected
delivery date. The Protocol field specifies
the protocol used by providing a value which
corresponds to a protocol. For example, TCP is
represented by 6. This is similar to
including the number of a house in a postal address. The Header Checksum stores
a value called a checksum, which is used to determine if any errors have
occurred in the header. The Source Address specifies
the source IP address and the Destination
Address specifies the destination IP address. This is just like the sender and receiver’s contact information
found on an envelope. The Options field is not
required and is commonly used for network troubleshooting rather than common traffic. If it’s used, the header
length increases. It’s like purchasing postal
insurance for an envelope. Finally, at the end
of the packet header is where the packet’s
data resides, like the text in
an email message. Who knew that the
packets of data we send across networks contain
so much information? Coming up soon, you’ll
have the opportunity to examine these packet
fields in detail.

Mastering the Network Microscope: Capturing and Analyzing Traffic with tcpdump

Introduction:

In the world of cybersecurity, understanding network traffic is crucial for troubleshooting, identifying threats, and conducting investigations. Tcpdump is a powerful command-line tool that acts as your network microscope, allowing you to capture and analyze packets flowing through your system.

Getting Started:

1. Availability: Tcpdump is often pre-installed on Linux and Unix-like systems. If not, you can install it using your system’s package manager.
2. Basic Syntax:
   • sudo tcpdump [options] [expression]
   • sudo grants the necessary permissions.
   • [options] customize the capture (e.g., interface, output format, filtering).
   • [expression] specifies which traffic to capture (e.g., IP addresses, protocols, ports).

Common Options:

• -i interface: Specify the network interface to capture on (e.g., eth0, wlan0).
• -v: Verbose mode, displays more detailed packet information.
• -c count: Capture a specific number of packets.
• -w file: Write captured packets to a file for later analysis.

Filtering Traffic:

• Capture only specific traffic using expressions:
  • host 192.168.1.100: Traffic to or from a specific IP address.
  • tcp port 80: Traffic using the TCP protocol on port 80.
  • icmp: Only ICMP (ping) traffic.
  • Combine expressions with logical operators (and, or, not).

Example Capture and Analysis:

1. Timestamp: The exact time the packet was captured.
2. IP Version: IPv4 or IPv6.
3. IP Header Fields: TTL, protocol, source/destination IP addresses, etc.
4. Protocol-Specific Fields: TCP flags, checksums, etc.

Advanced Usage:

• Save captures to files for analysis with tools like Wireshark.
• Use tcpdump in scripts for automated monitoring and analysis.
• Integrate with intrusion detection systems (IDS) and security incident response workflows.

Security Considerations:

• Capture only necessary traffic to respect privacy and avoid performance impacts.
• Secure captured files appropriately to protect sensitive information.

Conclusion:

Tcpdump is an invaluable tool for network professionals and cybersecurity practitioners. By understanding its capabilities and mastering its syntax, you can unveil the hidden details of network communication, troubleshoot issues, detect anomalies, and gather evidence for security investigations.

Tcpdump is a popular
network analyzer. It’s pre-installed on many
Linux distributions and can be installed on most Unix-like
operating systems, like macOS. You can easily
capture and monitor network traffic such as TCP, IP, ICMP, and many more. Tcpdump is a command line tool. This means that it does not have a graphical user interface. Earlier in the program, you learned that
the command line is a very powerful
and efficient tool, and we’ll practice
using it together. With tcpdump, you can apply options and flags
to your commands to easily filter network
traffic so that you can find exactly
what you’re looking for. You can filter for a
specific IP address, protocol, or port number. Let’s examine a simple
tcpdump command used to capture packets. Keep in mind that your
computer’s traffic may appear different when
you use this command. At first glance, this looks
like a lot of information. Let’s examine it line by line. The command we ran
is: sudo tcpdump -i any -v -c 1. We’re using sudo because the
Linux account we’re logged in on doesn’t have the
permission to run tcpdump. Then, we specify tcpdump
to start tcpdump and -i to specify which interface we want to
sniff traffic on. The -v stands for verbose, which displays detailed
packet information. The -c stands for count, which specifies how many
packets tcpdump will capture. Here we’ve specified one. Now let’s examine the output. Tcpdump has told us
that it’s listening on any available network
interfaces, and it’s also given us additional information,
like the capture size. The first field is the
packet’s timestamp, which details the specific
time of the packet travel. It begins with hours, minutes, seconds, and fractions
of a second. Timestamps are especially
helpful during an incident investigation
when you want to determine timelines
and correlate traffic. Next, IP is listed as
the Version field. It’s listed as IP, which means it’s IPv4. The verbose option has given us more details about
the IP packet fields, such as protocol type and the length of the packet.
Let’s check it out. The first field, ToS stands
for Type of Service. Recall that this tells us if certain packets should be
treated with different care. This is represented by
a value in hexadecimal. The TTL field is Time to Live, which tells us how
long a packet can travel across a network
before it gets dropped. The next three fields are Identification,
Offset, and Flags, which provide three fields with information relating
to fragmentation. These fields provide
instructions on how to reassemble packets
in the correct order. For example the DF, beside flags stands
for Don’t Fragment. Next, the proto is
the Protocol field. It specifies the
protocol in use and also provides us with the value that corresponds to the protocol. Here the protocol is tcp, which is represented
by the number 6. The last field, length, is the
Total Length of the packet, including the IP header. Next, we can observe the IP addresses that are
communicating with each other. The direction of the arrow indicates the direction
of the traffic flow. The last piece of the IP address indicates the port
number or name. Next, the cksum or checksum
field corresponds to the Header Checksum, which
stores a value that’s used to determine if any errors have
occurred in the header. Here, it’s telling us it’s
correct with no errors. The remaining fields
are related to TCP. For example, Flags
indicate TCP flags. The P is the push flag, and the period indicates
it’s an ACK flag. This means that the packet
is pushing out data. This is just one of many
commands you can use in tcpdump to capture
network traffic. Isn’t it fascinating to observe all the information contained within these invisible packets? Go ahead and try it
out for yourself!

Nice work so far! Congratulations on capturing and analyzing your first packet. Let’s review what
we’ve covered so far. First, you learned how
network traffic flows provide valuable
communications insight. Through monitoring
network activity for indicators of compromise, you learned how to spot unusual network activity,
like data exfiltration. Then, you learned how
to view and capture network traffic using
packet sniffers. Finally, you learned
how to inspect packets through packet analysis. You dissected packet
header data fields and analyzed packet
captures in detail. You’ve made a lot of progress in developing the skills you’ll need to prepare for an
entry-level role in security. Coming up, you’ll
be immersed into the exciting world of
incident investigation, where you’ll examine the
processes behind detecting and containing an incident.
I’ll meet you there.