Common Network Analysis Tool For Cyber Security Analysts

A SOC relies on a supporting infrastructure of tools and systems that provide the following services:

Network mapping
Network monitoring
Vulnerability detection
Penetration testing
Data collection
Threat and anomaly detection
Data aggregation and correlation

One tool that is used by analysts in a SOC is Security Onion.

Security Onion is intended to support SOC analysts with a suite of tools for network security monitoring, including intrusion detection, network security monitoring, and log management. The Security Onion distribution is based on the Ubuntu Linux operating system and contains several useful security tools that are designed to provide four core network security-monitoring functions as follows:

Full packet capture
Network-based and host-based intrusion detection sensors
Security analysis tools
Log management

The Enterprise Log Search and Archive (ELSA) version of Security Onion is composed of the following tools:

#1 ELSA

ELSA is a centralized syslog framework that is built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs, email-based alerts, scheduled queries, and graphing.

#2 Snort

An open source, rules-driven network intrusion detection system (NIDS) and network intrusion prevention system (NIPS) developed by Cisco (Sourcefire). It performs real-time threat detection and generates alerts when threats are detected. The NIPS inline mode is not supported within Security Onion.

#3 Suricata

A script-driven NIDS and NIPS threat detection engine for analyzing traffic and generating alerts. NIPS inline mode is not supported within Security Onion.

#4 Zeek (Bro)

A packet recorder and protocol parsing engine that is commonly used to analyze network traffic to detect behavioral anomalies.

#5 Traffic logging

Traffic captured by means of SPAN, a TAP port, or a packet broker. Traffic logging generates comprehensive, protocol-specific traffic logs for more than 35 network protocols and application layer analyzers, including HTTP, DNS FTP, and SMTP.

#6 Automated analysis

Traffic analysis that uses Bro scripts.

#7 File extraction

Extracts and reassembles various file types directly off the wire.

#8 Wazuh (OSSEC)

Host-based intrusion detection system (HIDS) that replaced OSSEC and is used to monitor and defend Security Onion. Wazuh offers a lightweight monitoring agent that can be installed on network host devices and is supported on Windows, Linux, Mac OS X, HP-UX, AIX, and Solaris platforms.

#9 Netsniff-ng

Captures network traffic via SPAN, a TAP port, or packet broker in the form of PCAP files.

#10 Sysmon

Windows system service to monitor event log and system activity.

#11 Syslog-ng

An enhanced BSD log daemon that can receive logs and collect inputs from a wide range of sources.

Network analyst tools

Provide packet capture and network traffic IP flow analytics capabilities that can be used to find anomalous network activity. The following popular network analyst tools are included within Security Onion:

#1 Wireshark

Network protocol analyzer

#2 Sguil

Sguil (pronounced “sgweel”) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis.

#3 Squert

Squert is a web application that is used to query and view event data that is stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events by using metadata, time series representations and weighted and logically grouped result sets.

#4 NetworkMiner

Performs network traffic analysis for parsing PCAP files and extracting artifacts

#5 CyberChef

Web-based application for data manipulation

#6 CapME

Helps with analyzing PCAP transcripts and downloading captured PCAP files

The preceding tools are included in Security Onion to aid the SOC analyst in viewing network telemetry data and analyzing that data to determine if a network intrusion has occurred. For example, IDS alerts are generated from Snort or Suricata. A SOC analyst could use ELSA to query log data from other sources to validate alert messages that are from Snort. Sguil is a real-time event- and session-monitoring tool that displays data for a SOC analyst to interpret. These types of tools are used by security analysts to perform their jobs.

A newer release of Security Onion is called the Elastic Stack (ELK) version. It includes the following tools:

Elasticsearch: Ingest and index logs, large scalable search engine based on Apache Lucene
Logstash: Data ingestion engine, parsing, and format logs
Kibana: Web dashboard that offers visualizations of ingested log data and data exploration. (Kibana and Squert can pivot to CapMe to retrieve full packet captures.)
TheHIVE: Security incident response platform and case management system integrated with Malware Information Sharing Platform (MISP)
Elastic Beats: Lightweight data shipper server agent that sends specific types of operational data to Logstash and Elasticsearch
Curator: Manage indices through scheduled maintenance
ElastAlert: Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information
FreqServer: Detect DGAs and find random filenames, script names, process names, service names, workstation names, TLS certificate and issuer subjects, and so on.
DomainStats: Conducts whois lookups and provides info about a domain by providing additional context, such as creation time, age, reputation.

The following figure shows the relationship between the Security Onion 2 Elastic Stack components.

Open Transcript

You might use other tools, besides Security Onion, such as the following:

Cisco Secure Network Analytics (formerly Stealthwatch): Displays distinct views of the IP flows traversing network devices that are configured to send NetFlow data to Cisco Secure Network Analytics. Cisco Secure Network Analytics uses NetFlow, IPFIX, and other types of network telemetry data to detect a wide range of threats such as advanced persistent threats (APT)s, distributed denial of service (DDoS) attacks, zero-day malware, and insider threats. Cisco Secure Network Analytics applies various behavior and policy-based algorithms to alarm SOC analysts about suspicious behavior on the network.
Cisco Secure Malware Analytics (formerly Threat Grid): A cloud-based malware analysis and threat intelligence sandbox solution. A SOC analyst can submit malware samples for analysis during an investigation. Secure Malware Analytics uses various static and dynamic analysis engines to dissect file behaviors to determine whether a file might be malicious. Cisco Secure Malware Analytics will search and correlate data elements of a single malware sample against millions of samples collected and sourced from around the world providing a global view of malware attacks and its association. Cisco Secure Malware Analytics is included as an integrated component of many Cisco Secure products.
Cisco SecureX platform: Connects the Cisco integrated security portfolio with the organization’s entire security infrastructure. The result is a consistent experience that unifies visibility and identifies unknown threats. It also enables automated workflows to strengthen security across the network, endpoint, cloud, and applications. Cisco SecureX is an open, cloud-native platform that is included with many Cisco Secure products. It provides a comprehensive user experience, aligns with products from more than 175 security technology providers, and offers more than 300 product-to-product integrations.
Penetration testing tools: The purpose of penetration testing is to actually exploit weaknesses. A penetration test simulates the actions of an attacker who aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data. A vulnerability assessment is the process that looks for known vulnerabilities in the information systems and reports potential exposures. Penetration testing and vulnerability assessment are often incorrectly used interchangeably, which has created confusion for many enterprises.
Most organizations usually start with a vulnerability assessment, and act on its results to either eliminate those weaknesses or reduce them to an acceptable level of risk, and then perform a penetration test if they are confident in their improved security posture. Kali Linux contains many penetration testing tools from various niches of the security and forensics fields, tools such as Metasploit Framework, Armitage, and Social Engineer Toolkit (SET). The following figure shows an example of using Armitage to exploit the Apache Struts vulnerability to open a reverse connection to the vulnerable Apache server (192.168.1.107).

In the following figure, the whoami command is issued after the reverse connection is established.

Security Information and Event Management

The primary purpose of a Security Information and Event Management (SIEM) in security operations is to collect and correlate logs to events that indicate malicious or suspicious actions in the network environment.

SIEM systems help SOC analysts by collecting all relevant security data into one place, correlating the data, alerting SOC analysts about anomalies, and enriching the data. Without SIEM systems, a security operations team would not be able to monitor hundreds, thousands, or millions of assets. A SIEM automates the collection, indexing, and alerting of data that is critical to SOC operations.

Although a SIEM is excellent for ingesting, processing, and storing large volumes of data, they fall short when the data must be interpreted in the context of the network environment. While some response actions can and should be automated, humans still need to interpret, analyze, and decide how a specific set of events impacts the environment.

Splunk Enterprise is a popular commercial SIEM product that offers several features including search, indexing, alters, pivot, reports, and data modeling.

Splunk Enterprise, with artificial intelligence and machine-learning capabilities, helps SOC analysts uncover the actionable insights from all the data, regardless of the format. The Splunk Enterprise environment can be customized to fit the specific needs of the organization by the use of apps.

An app is a collection of configurations, knowledge objects, views, and dashboards that run on the Splunk platform. Certain Cisco products support certain Splunk apps.

Do you enjoy this article, add Our Posts to your Reading List.

Action Point

PS: I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you could drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNuggets is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.