We covered network traffic analysis essentials for the purpose of incident response and network troubleshooting. This was part of solving TryHackMe Traffic Analysis Essentials room.

Blue Team Study Notes

Cyber Security Study Notes

Network Security

Network Security is a set of operations for protecting data, applications, devices and systems connected to the network. It is accepted as one of the significant subdomains of cyber security. It focuses on the system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis (often called Network Traffic Analysis) is a subdomain of the Network Security domain, and its primary focus is investigating the network data to identify problems and anomalies. 

Network Traffic Analysis

Traffic Analysis is a method of intercepting, recording/monitoring, and analyzing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats. The network is a rich data source, so traffic analysis is useful for security and operational matters. The operational issues cover system availability checks and measuring performance, and the security issues cover anomaly and suspicious activity detection on the network.

Flow Analysis

Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.

  • Advantage: Easy to collect and analyse.
  • Challenge: Doesn’t provide full packet details to get the root cause of a case.

Packet Analysis

Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.

  • Advantage: Provides full packet details to get the root cause of a case.
  • Challenge: Requires time and skillset to analyse.

Network Sniffing

Network sniffing involves capturing network traffic and exporting it to a PCAP file for analysis using tools like Wireshark, Brim, or Network Miner.

Definition of Packet Capturing

Packet capture refers to capturing network packets transmitted over a network, and packet replay refers to sending packets back out over the
network. You can capture packets using a protocol analyzer, which is sometimes called sniffing or using a sniffer.

Promiscuous Mode
When using a protocol analyzer, you need to configure the network interface card (NIC) on the system to use promiscuous mode. Normally, a NIC uses non-promiscuous mode, and only processes packets addressed directly to its IP address. However, when you put it in promiscuous mode, it processes all packets regardless of the IP address. This allows the protocol analyzer to capture all packets that reach the NIC.

TryHackMe Scenario

The video switches to the TryHackMe room where traffic analysis is applied to a simulated network environment.The objective is to detect malicious traffic by analyzing alerts triggered by an IDS and identifying malicious IP addresses.The user identifies two suspicious IP addresses (ending in .99 and .62) that generate Metasploit and bad traffic alerts, respectively, and adds them to the firewall for blocking.

In addition to IP addresses, the user also blocks destination ports based on the detected malicious traffic.Port 21 (FTP) and port 13698 are blocked to prevent compromised traffic from accessing sensitive services.

Room Answers | TryHackMe Traffic Analysis Essentials

Which Security Control Level covers contain creating security policies?

Administrative

Which Access Control element works with data metrics to manage data flow?

Load Balancing

Which technology helps correlate different tool outputs and data sources?

SOAR

Level-1 is simulating the identification and filtering of malicious IP addresses.

What is the flag?

THM{PACKET_MASTER}

Level-2 is simulating the identification and filtering of malicious IP and Port addresses.

What is the flag?

THM{DETECTION_MASTER}

Video Walkthrough | TryHackMe Traffic Analysis Essentials

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles