Task 18, Day 13, Packet Analysis Simply having a wonderful pcap time
Ran out of time to do a separate task and post yesterday. Only had enough time to finish off Task 17 from Monday.
Packet analysis is the process of extracting, assessing, and identifying network patterns such as connections, shares, commands, and other network activities, like logins and system failures, from prerecorded traffic files. Identifying and investigating network patterns in depth helps with threat detection and real-time performace troubleshooting. Even encoded/encrypted network data provides value by pointing to an odd, weird, or unexpected patter or situation.
Working With PCAPs
Before conducting packet analysis consider:
Network and standrad protocol knowledge - Knowledge of network and protocol operations is a must. Must know how protocols work and which provides particular information that needs to be used. Knowing ânormalâ and âabnormalâ behaviors and patterns is big plus.
Familiarity with attack and defense concepts - Canât detect what you donât know. Must know how attacks are conducted to identify what is happening and decide where to look.
Practical experience in analysis tools - Canât burn down the haystack to find the needle. Must know how to use the tools to extract particular information from packet bytes.
Creating âchecklistsâ and âmini playbooksâ make the analysis process easier, not shotgun approach. Simple process checklist:
Hypothesis - Have a hypothesis before looking at packets, know what to look for before analyzing.
Packet Statistics - Viewing statistics can show the weight of the traffic in the capture file. Helps analyst see the big picture in terms of protocols, endpoints, and conversations.
Known Services - Services from everyday operations (web browsing, file sharing, emailing) are called known services. Know what protocol goes to what service. Important to know what ânormalâ looks like in case adversary uses known services to their benefit.
Unknown Services - Potential red flags. Know how to research unknown protocols and services and quickly use them for analysis.
Known Patterns - Known patterns represent analystâs knowledge and experience. Know the most common and recent case patterns to successfully detect anomalies at first glance.
Environment - Know the nature and dynamics of the working environment. Includes IP address blocks, hostname and username structure, used services, external resources, maintenance schedules, and average traffic load.
The Task
Evaluate the pcap file using Protocol Hierarchy, Conversations, and filtering.
Statistics > Conversations helps identify IP addresses that may not belong, who they were talking to, and how.
Checks to do between Protocol Hierarchy and Conversations:
Packet statistics
Service identification
IP reputation check
Questions to answer:
Which IP addresses are in use?
Has a suspicious IP address been detected?
Has suspicious port usage been detected?
Which port numbers and services are in use?
Is there an abnormal level of traffic on any port or service?
From main window, filter by dns, check information including queries made.
Checks to do:
DNS queries
DNS answers
Questions to answer:
Which domain addresses are communicated?
Do the communicated domain addresses contain unusual or suspicious destinations?
Do the DNS queries look unusual, suspicious, or malformed?
Repeat with http filter.
Checks to do:
HTTP GET requests
Requested URIs
HTTP requests host addresses
Used User-agents
Questions to answer:
Which addresses are communicated?
Is there any resource share event between addresses?
If there is a file share event, which addresses hosts which file?
Do the user-agent fields look unusual, suspicious, or malformed?
Can export files via File > Export Objects > HTTP. Once downloaded sha256sum and be run and hash compared with other tools.
Checks to do:
Shared files
File hashes (SHA256)
Hash reputation check
Questions to answer:
What are shared files?
Is the hash reputation marked as suspicious or malicious?