Task 18, Day 13, Packet Analysis Simply having a wonderful pcap time

Ran out of time to do a separate task and post yesterday. Only had enough time to finish off Task 17 from Monday.

Packet analysis is the process of extracting, assessing, and identifying network patterns such as connections, shares, commands, and other network activities, like logins and system failures, from prerecorded traffic files. Identifying and investigating network patterns in depth helps with threat detection and real-time performace troubleshooting. Even encoded/encrypted network data provides value by pointing to an odd, weird, or unexpected patter or situation.

Working With PCAPs

Before conducting packet analysis consider:

  • Network and standrad protocol knowledge - Knowledge of network and protocol operations is a must. Must know how protocols work and which provides particular information that needs to be used. Knowing “normal” and “abnormal” behaviors and patterns is big plus.
  • Familiarity with attack and defense concepts - Can’t detect what you don’t know. Must know how attacks are conducted to identify what is happening and decide where to look.
  • Practical experience in analysis tools - Can’t burn down the haystack to find the needle. Must know how to use the tools to extract particular information from packet bytes.

Creating “checklists” and “mini playbooks” make the analysis process easier, not shotgun approach. Simple process checklist:

  1. Hypothesis - Have a hypothesis before looking at packets, know what to look for before analyzing.
  2. Packet Statistics - Viewing statistics can show the weight of the traffic in the capture file. Helps analyst see the big picture in terms of protocols, endpoints, and conversations.
  3. Known Services - Services from everyday operations (web browsing, file sharing, emailing) are called known services. Know what protocol goes to what service. Important to know what “normal” looks like in case adversary uses known services to their benefit.
  4. Unknown Services - Potential red flags. Know how to research unknown protocols and services and quickly use them for analysis.
  5. Known Patterns - Known patterns represent analyst’s knowledge and experience. Know the most common and recent case patterns to successfully detect anomalies at first glance.
  6. Environment - Know the nature and dynamics of the working environment. Includes IP address blocks, hostname and username structure, used services, external resources, maintenance schedules, and average traffic load.

The Task

Evaluate the pcap file using Protocol Hierarchy, Conversations, and filtering.

Statistics > Conversations helps identify IP addresses that may not belong, who they were talking to, and how.

Checks to do between Protocol Hierarchy and Conversations:

  • Packet statistics
  • Service identification
  • IP reputation check

Questions to answer:

  • Which IP addresses are in use?
  • Has a suspicious IP address been detected?
  • Has suspicious port usage been detected?
  • Which port numbers and services are in use?
  • Is there an abnormal level of traffic on any port or service?

From main window, filter by dns, check information including queries made.

Checks to do:

  • DNS queries
  • DNS answers

Questions to answer:

  • Which domain addresses are communicated?
  • Do the communicated domain addresses contain unusual or suspicious destinations?
  • Do the DNS queries look unusual, suspicious, or malformed?

Repeat with http filter.

Checks to do:

  • HTTP GET requests
  • Requested URIs
  • HTTP requests host addresses
  • Used User-agents

Questions to answer:

  • Which addresses are communicated?
  • Is there any resource share event between addresses?
  • If there is a file share event, which addresses hosts which file?
  • Do the user-agent fields look unusual, suspicious, or malformed?

Can export files via File > Export Objects > HTTP. Once downloaded sha256sum and be run and hash compared with other tools.

Checks to do:

  • Shared files
  • File hashes (SHA256)
  • Hash reputation check

Questions to answer:

  • What are shared files?
  • Is the hash reputation marked as suspicious or malicious?
  • Which domain hosts the suspicious/malicious file?