Sws101_thm
Topic: Traffic Analysis Essentials
Introduction:
Network Security is a set of operations for protecting data, applications, devices and systems connected to the network which focuses on the system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis is a subdomain it and its primary focus is investigating the network data to identify problems and anomalies. The room covers the foundations of Network Security and Traffic analysis and introduces the essential concepts of the disciplines to help step into Traffic/ Packet Analysis.
Network Security Overview
Core Concepts
- Authentication: Verifying the identity of users and systems.
- Authorization: Granting appropriate access rights based on verified identities.
Base Network Security Control Levels
- Physical: Prevents unauthorized physical access to networking devices and components.
- Technical: Prevents unauthorized access to network data through technical means.
- Administrative: Provides consistency in security operations through policies and procedures.
Main Approaches
- Access Control: Set of controls to ensure authentication and authorization.
- Threat Control: Detects and prevents anomalous/malicious activities on the network.
Key Elements of Access Control
- Firewall Protection
- Network Access Control (NAC)
- Identity and Access Management (IAM)
- Load Balancing
- Network Segmentation
- Virtual Private Networks (VPN)
- Zero Trust Model
Key Elements of Threat Control
- Intrusion Detection and Prevention (IDS/IPS)
- Data Loss Prevention (DLP)
- Endpoint Protection
- Cloud Security
- Security Information and Event Management (SIEM)
- Security Orchestration Automation and Response (SOAR)
- Network Traffic Analysis & Network Detection and Response
Typical Network Security Management Operations
- Deployment: Device and software installation
- Configuration: Initial setup and feature configuration
- Management: Security policy implementation and automation
- Monitoring: Threat and system monitoring
- Maintenance: Upgrades, security updates, and rule adjustments
Managed Security Services (MSS)
MSS are outsourced services provided by Managed Security Service Providers (MSSPs). Common elements include:
- Network Penetration Testing
- Vulnerability Assessment
- Incident Response
- Behavioral Analysis
Traffic Analysis
Traffic Analysis involves monitoring network data to detect and respond to system issues, anomalies, and threats. It’s crucial for both security and operational purposes, enabling the identification of suspicious activities and ensuring network health.
Tools Used
- Wireshark: For network sniffing and packet analysis.
- Zeek: For network monitoring.
- Snort: For intrusion detection and prevention.
- NetworkMiner: For network forensics.
- Brim: For threat hunting.
Techniques Used
Flow Analysis
- Collecting data/evidence from networking devices.
- Providing statistical results through data summary.
Packet Analysis
- Collecting all available network data.
- Applying in-depth packet-level investigation (Deep Packet Inspection) to detect and block anomalous and malicious packets.
Benefits of Traffic Analysis
- Provides full network visibility.
- Helps comprehensive baselining for asset tracking.
- Helps to detect/respond to anomalies and threats.
Importance of Traffic Analysis
Despite the widespread usage of security tools/services and an increasing shift to cloud computing, traffic analysis remains crucial due to its ability to:
- Detect odd, weird, or unexpected patterns/situations in network data.
- Provide valuable insights even if data is encoded/encrypted.
- Enable security analysts to detect and respond to advanced threats effectively.
Conclusion
Traffic analysis plays a vital role in network security operations by providing insights into system health, network anomalies, and threats. It remains a must-have skill for security analysts to combat evolving cyber threats effectively.