Module 2: Network Monitoring and Analysis

by
Contents hide
1 INTRODUCTION – Network Monitoring and Analysis
2 TEST YOUR KNOWLEDGE: UNDERSTAND NETWORK TRAFFIC
3 TEST YOUR KNOWLEDGE: CAPTURE AND VIEW NETWORK TRAFFIC
4 TEST YOUR KNOWLEDGE: PACKET INSPECTION
5 MODULE 2 CHALLENGE
6 CONCLUSION – Network Monitoring and Analysis
Spread the love

INTRODUCTION – Network Monitoring and Analysis

The course delves into and provides an in-depth overview of the different network analysis tools, specifically focusing on packet sniffers. It features a practical approach, where participants will participate in hands-on learning all the while delving into the art of network sniffing and packet analysis, thereby obtaining expertise in identifying probable malicious activity. The course mainly relies on the practical application of the filtering commands in examining the captured packet data. Students will master those tools to detect security threats easily. Students will also gain hands-on experience analyzing the detailed intricacies of packet-level analysis, which is one of the essential abilities to keep in any security personnel to safeguard networks against real-life cyber threats.

Learning Objectives

  • Explain how analyzing network traffic can aid in detecting, preventing, and resolving security incidents.
  • Use packet sniffing tools to obtain and monitor network traffic.
  • Examine and interpret packets so that one understands all the network activities.

TEST YOUR KNOWLEDGE: UNDERSTAND NETWORK TRAFFIC

1. How do indicators of compromise (IoCs) help security analysts detect network traffic abnormalities?

  • They capture network activity.
  • They provide a way to identify an attack. (CORRECT)
  • They define the attacker’s intentions.
  • They confirm that a security incident happened.

Indicators of Compromise (IoCs) help security analysts to detect unusual movements in network traffic by providing clear signals for likely attack values. Based on evidence like already-known malicious IP addresses, file hashes, or threat-specific domain names, these indicators help an analyst recognize and respond to a security incident on the spot-it enhances the speed and accuracy of threat detection and mitigation.

2. Fill in the blank: Data _____ is the term for unauthorized transmission of data from a system.

  • pivoting
  • infiltration
  • exfiltration (CORRECT)
  • network traffic

Data exfiltration is the term for any kind of abstraction that actually refers to unauthorized transfer or theft of data from a system. Data exfiltration can occur via different media, for example, malicious software, insider threats, or exploiting vulnerabilities, and all of them are very dangerous for data confidentiality and the organization itself.

3. An attacker has infiltrated a network. Next, they spend time exploring it in order to expand and maintain their access. They look for valuable assets such as proprietary code and financial records. What does this scenario describe?

  • Lateral movement (CORRECT)
  • Large internal file transfer
  • Phishing
  • Network data

The case presented here exemplifies lateral movement found in pivoting. Lateral movement can be defined as an attacking act of traversing a network after initial access to include expansion and control to whatever areas gained through the attacks. Moving laterally is typically characterized by the attacker’s attempt to access more hosts, seek secret information, or create backdoors for future gains.

4. What can security professionals use network traffic analysis for? Select three answers.

  • To secure critical assets
  • To understand network traffic patterns (CORRECT)
  • To monitor network activity (CORRECT)
  • To identify malicious activity (CORRECT)

The network traffic analysis bays in security professionals to view and assess activity on the network, detect malicious actions, and glean understanding of traffic patterns. This is also for identification of threats, exposure of vulnerabilities, and security and performance assurance of the network.

TEST YOUR KNOWLEDGE: CAPTURE AND VIEW NETWORK TRAFFIC

1. Which component of a packet contains the actual data that is intended to be sent to its destination?

  • Payload (CORRECT)
  • Footer
  • Header
  • Protocol

Payload is a term widely used in the context of data packets transferred and comprises a very essential part of a packet. The payload carries the actual data to be sent to a particular destination. It comprises the substantive content-a body of an email, a file being transferred, or a message in a communications stream.

2. Fill in the blank: A _____ is a file that contains data packets that have been intercepted from an interface or a network.

  • packet capture (CORRECT)
  • protocol
  • network protocol analyzer
  • network statistic

Packet captures often referred to known as PCAP files, and contain data packets intercepted from a network interface. This detailed network communication snapshot, available in packet header and payload form, makes for extensive analysis of network traffic to assist in troubleshooting, security monitoring, and performance assessment.

3. Which field of an IP header is used to identify whether IPv4 or IPv6 is used?

  • Options
  • Type of Service
  • Version (CORRECT)
  • Flags

The version field in an IP header defines the specific IP protocol version that is being used, which indicates whether the packet is in the format of IPv4 (value 4) or in the format of IPv6 (value 6). This aids the devices in correctly understanding and processing the packet.

4. Which network protocol analyzer is accessed through a graphical user interface?

  • Wireshark (CORRECT)
  • Libpcap
  • TShark
  • tcpdump

Wireshark is one of the well-known network protocol analyzers. It logs and tracks a network traffic in a real-time capturing fashion. A user with a GUI can analyze the packet-level data to facilitate identifying network problems, detects security violations, and helps in performance issues: packet analysis socializes with the end user.

5. Which of the following are components of a packet? Select three answers.

  • Header (CORRECT)
  • Footer (CORRECT)
  • Network
  • Payload (CORRECT)

A packet has components of header, payload, and footer. The details included in the header are protocol type and port number. The actual data is transmitted in the payload part of the packet. The footer terminates a packet.

6. Fill in the blank: The _____ accepts and delivers packets for the network.

  • Destination Address
  • Internet Protocol (IP)
  • Internet Layer (CORRECT)
  • Source Address

The Internet Layer is responsible for accepting and delivering packets to the network.

TEST YOUR KNOWLEDGE: PACKET INSPECTION

1. Which tcpdump option is used to specify the network interface?

  • -n
  • -i (CORRECT)
  • -c
  • -v

The -i option indicates the network interface; it is basically “i” for interface.

2. What is needed to access the tcpdump network protocol analyzer?

  • Command-line interface (CORRECT)
  • Output
  • Packet capture
  • Graphical user interface

Tcpdump is a network protocol analysis tool, which is accessible through command-line interface (CLI). The output part denotes the data which is generated in executing a command at the CLI.

3. What is the first field found in the output of a tcpdump command?

  • Protocol
  • Source IP
  • Version
  • Timestamp (CORRECT)

The first field in output from tcpdump command is a timestamp of the packet – this is the time at which the packet was captured.

4. You are using tcpdump to capture network traffic on your local computer. You would like to save the network traffic to a packet capture file for later analysis. Which tcpdump option should you use?

  • -v
  • -w (CORRECT)
  • -c
  • -r

The command line -w option is where you record all packets to a packet capture file for later analysis. This option allows capturing data to reference later.

MODULE 2 CHALLENGE

1. What type of attack involves the unauthorized transmission of data from a system?

  • Packet classification
  • Packet crafting
  • Data leak
  • Data exfiltration (CORRECT)

2. What tactic do malicious actors use to maintain and expand unauthorized access into a network?

  • Exfiltration
  • Data size reduction
  • Lateral movement (CORRECT)
  • Phishing

3. Which packet component contains protocol information?

  • Route
  • Header (CORRECT)
  • Payload
  • Footer

4. The practice of capturing and inspecting network data packets that are transmitted across a network is known as _____.

  • port sniffing
  • packet sniffing (CORRECT)
  • packet capture
  • protocol capture

5. Network protocol analyzer tools are available to be used with which of the following? Select two answers.

  • Internet protocol
  • Graphical user interface (CORRECT)
  • Command-line interface (CORRECT)
  • Network interface card

6. Which layer of the TCP/IP model is responsible for accepting and delivering packets in a network?

  • Network Access
  • Application
  • Internet (CORRECT)
  • Transport

7. What is used to determine whether errors have occurred in the IPv4 header?

  • Protocol
  • Flags
  • Checksum (CORRECT)
  • Header

8. Which tcpdump option applies verbosity?

  • -i
  • -c
  • -n
  • -v (CORRECT)

9. Examine the following tcpdump output:

22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42

What is the source IP address?

  • 41012
  • 198.168.105.1 (CORRECT)
  • 22:00:19.538395
  • 198.111.123.1

10. Fill in the blank: _____ describes the amount of data that moves across a network.

  • Network data
  • Data exfiltration
  • Network traffic (CORRECT)
  • Traffic flow

11. Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers.

  • Network performance issues
  • Multiple successful multi-factor authentication logins
  • Unexpected modifications to files containing sensitive data (CORRECT)
  • Outbound network traffic to an unauthorized file hosting service (CORRECT)

12. Do packet capture files provide detailed snapshots of network communications?

  • Yes. Packet capture files provide information about network data packets that were intercepted from a network interface. (CORRECT)
  • No. Packet capture files do not contain detailed information about network data packets. 
  • Maybe. The amount of detailed information packet captures contain depends on the type of network interface that is used.

13. Fill in the blank: tcpdump is a network protocol analyzer that uses a(n) _____ interface.

  • Linux
  • graphical user
  • command-line (CORRECT)
  • internet

14. Which IPv4 field determines how long a packet can travel before it gets dropped?

  • Time to Live (CORRECT)
  • Header Checksum
  • Options
  • Type of Service

15. What is the process of breaking down packets known as?

  • Checksum
  • Fragment Offset
  • Fragmentation (CORRECT)
  • Flags

16. Which tcpdump option is used to specify the capture of 5 packets?

  • -n 5
  • -i 5
  • -c 5 (CORRECT)
  • -v 5

17. Examine the following tcpdump output:

22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42

Which protocols are being used? Select two answers.

  • IP (CORRECT)
  • UDP
  • TCP (CORRECT)
  • TOS

18. Fill in the blank: Network protocol analyzers can save network communications into files known as a _____.

  • packet capture (CORRECT)
  • payload
  • protocol
  • network packet

19. Which layer of the TCP/IP model does the Internet Protocol (IP) operate on?

  • Application
  • Internet (CORRECT)
  • Transport
  • Network Access

20. What are some defensive measures that can be used to protect against data exfiltration? Select two answers.

  • Utilize lateral movement
  • Deploy multi-factor authentication (CORRECT)
  • Monitor network activity (CORRECT)
  • Reduce file sizes

21. Fill in the blank: The transmission of data between devices on a network is governed by a set of standards known as _____.

  • headers
  • payloads
  • ports
  • protocols (CORRECT)

22. Which protocol version is considered the foundation for all internet communications?

  • HTTP
  • ICMP
  • IPv4 (CORRECT)
  • UDP

23. Which IPv4 header fields involve fragmentation? Select three answers.

  • Identification (CORRECT)
  • Flags (CORRECT)
  • Fragment Offset (CORRECT)
  • Type of Service

24. How do network protocol analyzers help security analysts analyze network communications? Select two answers.

  • They take action to improve network performance.
  • They provide the ability to collect network communications. (CORRECT)
  • They take action to block network intrusions.
  • They provide the ability to filter and sort packet capture information to find relevant information. (CORRECT)

25. Why is network traffic monitoring important in cybersecurity? Select two answers.

 
  • It provides a method to encrypt communications.
  • It helps identify deviations from expected traffic flows. (CORRECT)
  • It provides a method of classifying critical assets.
  • It helps detect network intrusions and attacks. (CORRECT)

CONCLUSION – Network Monitoring and Analysis

Summarily, this short course renders the learners knowing the nuggets that typically carry vital practical skills in making network analysis and sniffers. By hearing detailed coverage on network sniffing and the packet analysis process behind it, they come to know how they can detect and respond to potential security threats effectively.

The focus of developing filtering commands also greatly helps them to further investigate packet contents offered by practical experiences applicable in real-world cybersecurity. With such capabilities, participants should be able to ensure the integrity of their networks and actively help to counter cyber threats.

Leave a Comment