Description

Network Traffic Analysis will enable students to differentiate between normal and abnormal network traffic. The course focuses on research, filtering and comparative analysis to identify the different types of activity on a network and attribute their source.

A subject matter expert will teach you security-related tactics, techniques and procedures for performing network analysis in todays ever-changing threat landscape. Youll learn to follow conversations through redirection as well as how to develop custom filters for non-dissected protocols. After attending this course, students will be able to hone in on the key events in a traffic capture and reconstruct the event time line.

Objectives

Upon completion of this course, you will be able to perform the following tasks:

• Internet Based Open Source Research
• Wireshark Protocol Analyzer
• Effective Capture and Display Filtering
• Tracing System, Service and User Transactions
• Recognizing Encoding Types
• Base-64 and URL Encoding
• Non-Dissected Protocol Analysis
• HTTP Header Analytics (User-Agents, Referrers, Accept Lines, etc)
• Cookie Tracking

Prerequisites

You should possess knowledge of the following:

• A Broad Understanding of TCP/IP and Associated Protocols
• Knowledge of Network Hardware and Segment Types
• Previous Exposure to Wireshark or Other Protocol Analysis Software is also recommended

Who Should Attend

• Network Analysts seeking to develop security-related skills
• Incident Responders needing to quickly address system security breaches
• Penetration Testers looking to reduce their detectability
• Threat Operations Analysts seeking a better understanding of network intrusions
• All Network Administrators needing a better understanding of network security

Outline

OSI & TCP/IP Models

• Basic Header Structures
• Analyze packets by hand
• IP & TCP Options
• OS Detection techniques
  • Session Parameters, Flags

Number Theory

• Accelerated Number Conversion
• Boolean Logic
• Boolean Functions
• Basic Obfuscation Techniques

Wireshark Tutorial

• PCAP Meta-data
  • File Headers, Frame Headers
• Wireshark Meta-data
  • Name Resolutions, Analytic Tags, Conversations, Relative Numbering
  • Coloring Rules
• User Preferences
  • Custom Displays
  • Conversions
• Dissector Basics
• Display Filters
• Custom Filters
• Statistics

Day in the Life (TCP/IP)

• Inter-Process Communications
  • 3-Way Handshake
  • TCP Options in use
  • Session Management
• Flow Control
  • Windowing
• Congestion Control
  • Packet Loss
  • Retransmission
  • Quality of Service
• Switching and Routing
  • Life-cycle of a Packet
• Common TCP/IP Application In-Depth Filters

Analytic Process

• Logic Fundamentals
  • Establishing and Examining Premises
  • Correlation, Causation, Coincidence
  • Fallacies and Pitfalls
• Apply logic to traffic analysis
  • Identify Analytic Vectors
  • Validate Filters and Coloring Rules
  • Prioritize Analytic Efforts

Internet Research

• Brief History of the Internet
  • Impact on current and future protocols
• Current Organizations
  • Internet Society, ICANN/IANA
• Research Tools
  • Whois, Dig, Nslookup, Traceroute, BGP/AS Analysis, Looking Glass

Traffic Analysis

• Scope Problems/Events
  • Statistical Analysis, Baseline
  • Isolating Events, TCP Analysis
• Event Analysis
  • Identify Non-Standard Communications
  • Recreate objects (e.g. files, videos)
• Display Filters
  • Customize and Save Filters

Attribution

• Route Path Selection
  • Interior Routing (EIGRP, OSPF)
  • Exterior Routing (BGP)
  • Autonomous Systems
  • Tiered Networking, Peering
  • Load Balancing, MPLS and Traffic Engineering
• Traceroute Analysis
  • Latency Analysis
  • Naming Conventions
  • Route Identification

Research Techniques

• RFC and other supporting documentation
  • Syntax, Semantics, and Timing
  • Key Personnel
  • Academic Materials
  • White Papers and Keynote Slides
• Client/Server Relationships
  • Codes
  • Flags
  • Dissector Support

Start-to-Finish Protocol Analysis (Demo Email)

• Research Documentation
  • RFC 822, MIME, SMTP, POP3, IMAP
• Work with Encoding
  • Base64, Quoted Printable
• Network Reconstruction
  • Meta-data Analysis

Regular Expressions

• Pattern Matching
  • IP Addresses
  • Email Address
  • Client/Server Transactions

Analysis Beyond Wireshark

• Custom Filters
• Filter with Regular Expressions
• Research Non-Dissected Protocols
• Analyze Non-Dissected Protocols

Secure Protocols

• Security Fundamentals
  • Confidentiality, Integrity, and Availability
  • Encryption
• Work in an Encrypted Environment
  • Verify Digital Certificates
  • Identify Directionality of Traffic
  • Identify Location of Nodes

Referrers, User-Agents, & Cookies

• Identify System Architectures
• Identify Operating Systems
• Identify Applications
• Identify User Preferences
• Follow User Activities
• Identify 3rd-Party Tracking Activities

Big Capture

A group analysis exercise. Students will work in small groups to identify traffic and reconstruct the topology of an unknown environment. The teams will have to decipher obfuscated transactions and map observed activities back to the respective user.

More Tools and Tricks

• Capsa7, NetWitness Investigator, Network Miner

Student Practical Demonstration:

Using the tools, skills, and methodologies taught in Days 1 - 4 of the class, students will participate in a competative capture-the-flag exercise.

Designed to challenge the participants, each correctly completed milestone will unlock a successively more difficult challenge.