Traffic Analysis Essentials

Learn Network Security and Traffic Analysis foundations and take a step into probing network anomalies.

Network Security is a significant subdomain of cybersecurity operations for protecting data, applications, devices and systems connected to the network. It focuses on system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis (Network Traffic Analysis) is a subdomain of the Network Security domain with a primary focus on investigating the network data to identify problems and anomalies.

Network Security

Two core concepts of Network Security are authentication and authorization. A variety of tools, technologies, and approaches exist to ensure and measure implementations and go beyond to provide continuity and reliability. Network security operations contain three base control levels to ensure the maximum available security management.

Base Network Security Control Levels:

Physical	Physical security controls prevent unauthorized access to networking devices, cable boards, locks, and all linked components.
Technical	Data security controls prevent unauthorized access to network data, like installing tunnels and implementing security layers.
Administrative	Administrative security controls provide consistency in security operations like creating policies, access levels and authentication processes.

The most common elements/approaches used in network security operations:

Access Control	Threat Control
The starting point of Network Security. It is a set of controls to ensure authentication and authorization.	Detecting and preventing anomalous/malicious activities on the network. It contains both internal (trusted) and external traffic data probes.

The key elements of Access Control:

Firewall Protection	Controls incoming and outgoing network traffic with predetermined security rules. Designed to block suspicious/malicious traffic and application-layer threats while allowing legitimate and expected traffic.
Network Access Control (NAC)	Controls the devices' suitability before access to the network. Designed to verify device specifications and conditions are compliant with the predetermined profile before connecting to the network.
Identity and Access Management (IAM)	Controls and manages the asset identities and user access to data systems and resources over the network.
Load Balancing	Controls the resource usage to distribute (based on metrics) tasks over a set of resources and improve overall data processing flow.
Network Segmentation	Creates and controls network ranges and segmentation to isolate the users' access levels, group assets with common functionalities, and improve the protection of sensitive/internal devices/data in a safer network.
Virtual Private Networks (VPN)	Creates and controls encrypted communication between devices (typically for secure remote access) over the network (including communications over the internet).
Zero Trust Model	Suggests configuring and implementing the access and permissions at a minimum level (providing access required to fulfil the assigned role). The mindset is focused on: "Never trust, always verify".

The key elements of Threat Control:

Intrusion Detection and Prevention (IDS/IPS)	Inspects the traffic and creates alerts (IDS) or resets the connection (IPS) when detecting an anomaly/threat.
Data Loss Prevention (DLP)	Inspects the traffic (performs content inspection and contextual analysis of the data on the wire) and blocks the extraction of sensitive data.
Endpoint Protection	Protecting all kinds of endpoints and appliances that connect to the network by using a multi-layered approach like encryption, antivirus, antimalware, DLP, and IDS/IPS.
Cloud Security	Protecting cloud/online-based systems resources from threats and data leakage by applying suitable countermeasures like VPN and data encryption.
Security Information and Event Management (SIEM)	Technology that helps threat detection, compliance, and security incident management, through available data (logs and traffic statistics) by using event and context analysis to identify anomalies, threats, and vulnerabilities.
Security Orchestration Automation and Response (SOAR)	Technology that helps coordinate and automates tasks between various people, tools, and data within a single platform to identify anomalies, threats, and vulnerabilities. It also supports vulnerability management, incident response, and security operations.
Network Traffic Analysis & Network Detection and Response	Inspecting network traffic or traffic capture to identify anomalies and threats.

Typical Network Security Management Operation is explained in the given table:

Deployment	Configuration	Management	Monitoring	Maintenance
Device and software installation Initial configuration Automation	Feature configuration Initial network access configuration	Security policy implementation NAT and VPN implementation Threat mitigation	System monitoring User activity monitoring Threat monitoring Log and traffic sample capturing	Upgrades Security updates Rule adjustments Licence management Configuration updates

Managed Security Services

Budget, employee skillset, and organization size can determine how security operations are handled. Managed Security Services (MSS) fulfill the required effort to ensure/enhance security needs. MSS are services outsourced to service providers called Managed Security Service Providers (MSSPs). Most MSS are time and cost effective, can be conducted in-house or outsourced, easy to engage, and ease management process.

Common elements of MSS:

Network Penetration Testing	Assessing network security by simulating external/internal attacker techniques to breach the network.
Vulnerability Assessment	Assessing network security by discovering and analyzing vulnerabilities in the environment.
Incident Response	An organized approach to addressing and managing a security breach. It contains a set of actions to identify, contain, and eliminate incidents.
Behavioral Analysis	An organized approach to addressing system and user behaviors, creating baselines and traffic profiles for specific patterns to detect anomalies, threats, vulnerabilities, and attacks.

Which Security Control Level covers contain creating security policies?

Administrative

Which Access Control element works with data metrics to manage data flow?

Load Balancing

Which technology helps correlate different tool outputs and data sources?

SOAR

Traffic Analysis

Traffic Analysis / Network Traffic Analysis

Traffic Analysis is a method of intercepting, recording/monitoring, and analyzing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats.

Operational issues cover system availability checks and measuring performance while security issues cover anomaly and suspicious activity detection on the network.

Traffic analysis is one of the essential approaches used in network security, and it is part of multiple disciplines of network security operations listed below:

• Network Sniffing and Packet Analysis (Covered in Wireshark room)

• Network Monitoring (Covered in Zeek room)

• Intrusion Detection and Prevention (Covered in Snort room)

• Network Forensics (Covered in NetworkMiner room)

• Threat Hunting (Covered in Brim room)

There are two main techniques used in Traffic Analysis:

Flow Analysis	Packet Analysis
Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation. Advantage: Easy to collect and analyze. Challenge: Doesn't provide full packet details to get the root cause of a case.	Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets. Advantage: Provides full packet details to get the root cause of a case. Challenge: Requires time and skillset to analyze.

Benefits of the Traffic Analysis:

• Provides full network visibility.

• Helps comprehensive baselining for asset tracking.

• Helps to detect/respond to anomalies and threats.

Does the Traffic Analysis Still Matter?

The widespread use of security tools/services and an increasing shift to cloud computing force attackers to modify tactics and techniques to avoid detection. If network data is encoded/encrypted, it still provides a value by pointing to an odd, weird or unexpected pattern/situation. Traffic analysis is still a must-to-have skill to detect and respond to advanced threats.