Common Network Analysis Tool For Cyber Security Analysts

 

A SOC relies on a supporting infrastructure of tools and systems that provide the following services:

• Network mapping
• Network monitoring
• Vulnerability detection
• Penetration testing
• Data collection
• Threat and anomaly detection
• Data aggregation and correlation

 

One tool that is used by analysts in a SOC is Security Onion.

Security Onion is intended to support SOC analysts with a suite of tools for network security monitoring, including intrusion detection, network security monitoring, and log management.

 

The Security Onion distribution is based on the Ubuntu Linux operating system and contains several useful security tools that are designed to provide four core network security-monitoring functions as follows:

 

• Full packet capture
• Network-based and host-based intrusion detection sensors
• Security analysis tools
• Log management

The Enterprise Log Search and Archive (ELSA) version of Security Onion is composed of the following tools:

 

#1 ELSA

ELSA is a centralised syslog framework that is built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs, email-based alerts, scheduled queries, and graphing.

 

#2 Snort

 An open source, rules-driven network intrusion detection system (NIDS) and network intrusion prevention system (NIPS) developed by Cisco (Sourcefire). It performs real-time threat detection and generates alerts when threats are detected. The NIPS inline mode is not supported within Security Onion.

#3 Suricata

 A script-driven NIDS and NIPS threat detection engine for analysing traffic and generating alerts. NIPS inline mode is not supported within Security Onion.

 

#4 Zeek (Bro)

A packet recorder and protocol parsing engine that is commonly used to analyze network traffic to detect behavioural anomalies.

 

#5 Traffic logging

Traffic captured using SPAN, a TAP port, or a packet broker. Traffic logging generates comprehensive, protocol-specific traffic logs for more than 35 network protocols and application layer analyzers, including HTTP, DNS FTP, and SMTP.

 

#6 Automated analysis

Traffic analysis that uses Bro scripts.

 

#7 File extraction

Extracts and reassembles various file types directly off the wire.

 

#8 Wazuh (OSSEC)

Host-based intrusion detection system (HIDS) that replaced OSSEC and is used to monitor and defend Security Onion. Wazuh offers a lightweight monitoring agent that can be installed on network host devices and is supported on Windows, Linux, Mac OS X, HP-UX, AIX, and Solaris platforms.

 

#9 Netsniff-ng

Captures network traffic via SPAN, a TAP port, or a packet broker in the form of PCAP files.

#10 Sysmon

Windows system service to monitor the event log and system activity.

 

#11 Syslog-ng

 An enhanced BSD log daemon that can receive logs and collect inputs from a wide range of sources.

 

Network analyst tools

Provide packet capture and network traffic IP flow analytics capabilities that can be used to find anomalous network activity. The following popular network analysis tools are included within Security Onion:

 

 

#1 Wireshark

 Network protocol analyzer

 

#2 Sguil

Sguil (pronounced “sgweel”) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event-driven analysis.

 

#3 Squert

Squert is a web application that is used to query and view event data that is stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events by using metadata, time series representations and weighted and logically grouped result sets.

 

#4 NetworkMiner

 Performs network traffic analysis for parsing PCAP files and extracting artifacts.

 

#5 CyberChef

Web-based application for data manipulation.

 

#6 CapME

Helps with analyzing PCAP transcripts and downloading captured PCAP files,

 

The preceding tools are included in Security Onion to aid the SOC analyst in viewing network telemetry data and analyzing that data to determine if a network intrusion has occurred. For example, IDS alerts are generated from Snort or Suricata.

 

A SOC analyst could use ELSA to query log data from other sources to validate alert messages that are from Snort. Sguil is a real-time event- and session-monitoring tool that displays data for a SOC analyst to interpret. These types of tools are used by security analysts to perform their jobs.

 

A newer release of Security Onion is called the Elastic Stack (ELK) version. It includes the following tools:

• Elasticsearch: Ingest and index logs, large, scalable search engine based on Apache Lucene
• Logstash: Data ingestion engine, parsing, and formatting logs
• Kibana: A Web dashboard that offers visualisations of ingested log data and data exploration. (Kibana and Squert can pivot to CapMe to retrieve full packet captures.)
• TheHIVE: Security incident response platform and case management system integrated with Malware Information Sharing Platform (MISP).

 

• Elastic Beats: Lightweight data shipper server agent that sends specific types of operational data to Logstash and Elasticsearch
• Curator: Manage indices through scheduled maintenance
• ElastAlert: Query Elasticsearch and alert on user-defined anomalous behaviour or other interesting bits of information
• FreqServer: Detect DGAs and find random filenames, script names, process names, service names, workstation names, TLS certificate and issuer subjects, and so on.
• DomainStats: Conducts whois lookups and provides info about a domain by providing additional context, such as creation time, age, and reputation.

 

The following figure shows the relationship between the Security Onion 2 Elastic Stack components.

You might use other tools, besides Security Onion, such as the following:

• Cisco Secure Network Analytics (formerly Stealthwatch): Displays distinct views of the IP flows traversing network devices that are configured to send NetFlow data to Cisco Secure Network Analytics. Cisco Secure Network Analytics uses NetFlow, IPFIX, and other types of network telemetry data to detect a wide range of threats such as advanced persistent threats (APT)s, distributed denial of service (DDoS) attacks, zero-day malware, and insider threats. Cisco Secure Network Analytics applies various behavior and policy-based algorithms to alarm SOC analysts about suspicious behavior on the network.
• Cisco Secure Malware Analytics (formerly Threat Grid): A cloud-based malware analysis and threat intelligence sandbox solution. A SOC analyst can submit malware samples for analysis during an investigation. Secure Malware Analytics uses various static and dynamic analysis engines to dissect file behaviors to determine whether a file might be malicious. Cisco Secure Malware Analytics will search and correlate data elements of a single malware sample against millions of samples collected and sourced from around the world providing a global view of malware attacks and its association. Cisco Secure Malware Analytics is included as an integrated component of many Cisco Secure products.
• Cisco SecureX platform: Connects the Cisco integrated security portfolio with the organization’s entire security infrastructure. The result is a consistent experience that unifies visibility and identifies unknown threats. It also enables automated workflows to strengthen security across the network, endpoint, cloud, and applications. Cisco SecureX is an open, cloud-native platform that is included with many Cisco Secure products. It provides a comprehensive user experience, aligns with products from more than 175 security technology providers, and offers more than 300 product-to-product integrations.
• Penetration testing tools: The purpose of penetration testing is to actually exploit weaknesses. A penetration test simulates the actions of an attacker who aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data. A vulnerability assessment is the process that looks for known vulnerabilities in the information systems and reports potential exposures. Penetration testing and vulnerability assessment are often incorrectly used interchangeably, which has created confusion for many enterprises.

 

• Most organizations usually start with a vulnerability assessment, and act on its results to either eliminate those weaknesses or reduce them to an acceptable level of risk, and then perform a penetration test if they are confident in their improved security posture. Kali Linux contains many penetration testing tools from various niches of the security and forensics fields, tools such as Metasploit Framework, Armitage, and Social Engineer Toolkit (SET). The following figure shows an example of using Armitage to exploit the Apache Struts vulnerability to open a reverse connection to the vulnerable Apache server (192.168.1.107).

  In the following figure, the whoami command is issued after the reverse connection is established.

Security Information and Event Management

 

Y’ello! CRMNuggets has invited you to transact on your MoMo App with this referral code: FZW9FU. Tap on https://momo.ng/app/ to launch your MoMo App, and ensure you enter CRMNugget’s code before you transact.

You will get 10,000 for Signing Up if you use my Referral code. You will also enjoy free transactions to MOMO and other banks.

Also, refer your friends to do the same and stand a chance to win Airtime/Data for Life!

 

On the Raven Banking App, transferring to other banks is free, and you can perform banking transactions without data. You also get free data to surf the web.