By practice, I mean spending time working with packets. If you have monitoring access to your companies network, that would be the place to start. Not only will it give you access to a wider range of traffic than using your home network, but you'll start becoming familiar with what is normal. It's very difficult to find the anomalous if you don't know what's normal. If you don't have access to your companies traffic yet (and ONLY use your companies network if you have been given explicit permission, in writing, to do so), there are tons of places you can pull down interesting packet captures to play with and practice. pcapr.net has a huge repository, the HoneyNet project has monthly challenges, the Army ITOC posts captures from the Inter-Service Academy Cyber Defense Competition (the NSA provides a Red Team against the the service academies Blue Teams), and so forth.
There all different kinds of ways to practice. You can do scenarios; choose an attribute that would indicate possibly malicious activity, then see if you can find any on your network. Do a realtime sniff for any packets whose IP header is greater than 20 bytes, indicating that IP options are in use. Look for large sized ICMP packets (greater than 100 bytes), and if you find some and they aren't malicious, determine why they're large (Microsoft is one culprit in this category).
You can redirect the captures into text, and use awk and sed and grep and other utilities to start building up a collection of scripts and filters for things you'll want to look for often. If you're a perl programmer, you can use all the nifty perl networking modules to make yourself some automated programs to break apart captures and extract data.
You can use tools like xtractr and NetWitness Investigator to see your high level categories, then drill down and look at the individual packets when you see something interesting. I've been using both to look at events from our IDS.
You can run the packets through dnsiff and see if there are clear text authentication tokens you weren't aware of. Run them through ngrep and use keywords specific to your corporation and look for data leakage going beyond the perimeter of your network. You can load them in EtherApe and watch for the blooms of color.. readily identifying "top talkers", which could be indicative of malicious activity, a network issue or a bandwidth hog, like someone using BitTorrent.
There are dozens and dozens of tools you can run those captures through, and the more you do it, the more familiar you'll become with your network and the better at identifying those folks who refuse to play nice.
Links to packet captures:
- pcapr - http://www.pcapr.net/home
- HoneyNet - http://www.honeynet.org/challenges
- ITOC - http://www.itoc.usma.edu/research/dataset/ (bottom half of the page.. scroll... they're there)
4 comments:
Hey. I cannot find the ITOC data anymore 'cause it reports that their SSL Cert has expired. Do you know of any mirror hosting these logs?
Hey. I cannot find the ITOC dataset any more 'cause their SSL cert is reported as expired. Do you know of any mirror hosting these files?
Sadly, I don't. And I don't have a site I could put them up on.. there are 14 1 Gb files and a few slightly smaller ones...
The cert has been fixed on the ITOC site at http://www.itoc.usma.edu/research/dataset/
Post a Comment