Traffic Analysis Essentials TryHackMe Walkthrough

Learn Network Security and Traffic Analysis foundations and take a step into probing network anomalies.

This write-up covers the Traffic Analysis Essentials Room on TryHackMe.
Learning Path (s): SOC Level 1
Module: Network Security and Traffic Analysis
Skill: Networking Tools

Network Security (a subdomain of cyber security) is a set of operations for protecting data, applications, devices, and systems connected to the network.

Traffic analysis (often called Network Traffic Analysis) is a subdomain of the Network Security domain, and its primary focus is investigating the network data to identify problems and anomalies.

Network Security and Network Data

💡The essential concern of Network Security focuses on two core concepts: authentication and authorization.

Base Network Security Control Levels:

The most common elements used in network security operations

1. Access Control: a set of controls to ensure authentication and authorization. Its key elements include:
   - Firewall Protection
   - Network Access Control (NAC)
   - Identity and Access Management (IAM)
   - Load Balancing
   - Network Segmentation
   - Virtual Private Networks (VPN)
   - Zero Trust Model
2. Threat Control: Detecting and preventing anomalous/malicious activities on the network. It contains both internal (trusted) and external traffic data probes. Its key elements include:
   - Intrusion Detection and Prevention (IDS/IPS)
   - Data Loss Prevention (DLP)
   - Endpoint Protection
   - Cloud Security
   - Security Information and Event Management (SIEM)
   - Security Orchestration Automation and Response (SOAR)
   - Network Traffic Analysis & Network Detection and Response

Typical Network Security Management Operation is explained in the given table:

Managed Security Services (MSS)

Not every organization has enough resources (budget, employee skillset, and organization size) to create dedicated groups for specific security domains.

MSS are services that have been outsourced to service providers — Managed Security Service Providers (MSSPs) in order to fulfill the required effort to ensure/enhance the security needs of an organization.

The most common elements of MSS:

Traffic Analysis

💡Traffic Analysis is a method of intercepting, recording/monitoring, and analyzing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats.

It is useful for security and operational matters:

• Operational issues cover system availability checks and measuring performance,
• Security issues cover anomaly and suspicious activity detection on the network.

Traffic analysis is part of multiple disciplines of network security operations listed below:

• Network Sniffing and Packet Analysis (Wireshark)
• Network Monitoring (Zeek)
• Intrusion Detection and Prevention (Snort)
• Network Forensics (NetworkMiner)
• Threat Hunting (Brim)

Two main techniques used in Traffic Analysis:

1. Flow Analysis: Collecting data/evidence from the networking devices without applying in-depth packet-level investigation.
   • Advantage: Easy to collect and analyze.
   • Challenge: Doesn’t provide full packet details to get the root cause of a case.

2. Packet Analysis: Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.
• Advantage: Provides full packet details to get the root cause of a case.
• Challenge: Requires time and skillset to analyze.

Traffic Analysis Essentials Room QA

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

Network Security and Traffic Analysis

Security Control Level:

1. Which Security Control Level covers creating security policies?
   Go to the “Base Network Security Control Levels” table.
   Find the Security Control Level that covers creating security policies.
2. Which Access Control element works with data metrics to manage data flow?
   Scroll up to “The Key Elements of Access Control” table.
   Identify the Access Control element that works with data metrics to manage data flow.
3. Which technology helps correlate different tool outputs and data sources?
   Scroll up to “The Key Elements of Threat Control” table.
   Look for the technology that helps correlate different tool outputs and data sources.
   Provide the acronym for the answer.

Flag Questions:

1. What is the flag for Level-1?
   Click the green “View Site” button at the top of the task.
   Click the black “Start Network Traffic” button.
   Restore the network, record traffic, and identify two suspicious IP addresses.
   Add these IP addresses to the filter and restart network traffic.
   Check the pop-up window for the first flag.
2. What is the flag for Level-2?
   Identify destination ports related to suspicious IP addresses from the Traffic Analyzer table.
   Add these ports to the filter and restart network traffic.
   Check the pop-up window for the second flag.