FUNDAMENTALS OF COMPUTER SECURITY

PART 1:

1: Network Traffic Analysis Fundamentals

A) Explain the basic components of network traffic, including protocols, ports, and packet
headers.
Network traffic refers to the data that is transmitted over a computer network. It consists of
various components that facilitate the communication and transfer of data between different
devices or systems. Here are the key components and what they do:
1. Protocols: Protocols are sets of rules and conventions that govern how data is transmitted
and interpreted over a network. They define the formats, addressing methods, and
procedures for establishing and maintaining communication.
2. Ports: Ports are logical channels/endpoints that are used to identify specific services or
applications running on a device.
3. Packet headers: Packets are small manageable units of data that are easy to transmit over a
network. Each packet contains a header and a payload, the packet header carries important
information about the data.
B) Discuss the different types of network traffic (e.g., web browsing, file transfer, email).
Network traffic can be categorized based on the applications or services involved.
Categorization by application/service type is a common way to analyze network traffic and
understand the different types of data flowing through a network.
1. Web browsing traffic: This includes traditional web pages, images, scripts, stylesheets and
all other resources that make up modern dynamic websites. Web traffic patterns can reveal
insights about user behavior, bandwidth usage and potential security issues.
2. File Transfer Traffic: This traffic involves the transmission of files between devices. Common
protocols for file transfer include FTP, SFTP and SSH.They utilize specific ports for identity and
control of file transfer on the network.
3. Email Traffic: This encompasses the exchange of electronic messages between mail servers
and mail clients. Common protocols that facilitate sending, receiving and managing email
messages include SMTP, POP3 and IMAP.

C) Analyze the role of network traffic analysis in network security.

Network traffic analysis is important in network security for several reasons such as:
1. Threat detection: Analyzing network traffic patterns, anomalies, and deviations from
normal behavior, security analysts can identify potential security threats and intrusions.
Unusual traffic patterns, unauthorized access attempts, or suspicious communication can be
detected and investigated promptly.
2. Intrusion Detection and Prevention: Network traffic analysis helps in detecting and
preventing unauthorized access attempts and intrusions. By monitoring network traffic,
security systems can identify known attack signatures or behavior patterns associated with
malicious activities, allowing for timely response and mitigation.

1
 3. Incident Response: Analyzing network traffic after an incident can provide critical insights
into the nature of the incident, including the attack vector, compromised systems, and data
exfiltration. This information is valuable for incident response teams to contain the incident,
investigate the root cause, and implement appropriate remediation measures.
4. Policy Compliance: Network traffic analysis helps ensure compliance with organizational
policies on network usage by monitoring and enforcing network security controls, identifying
policy violations, and tracking potential data breaches.

2: Normal vs. Malicious Traffic Patterns

A) Identify and explain five key differences between network traffic patterns associated with
normal activity and potential intrusions.
1. Source and destination addresses:

• Normal activity: Network traffic typically originates from and is destined for known and
trusted IP addresses within the organization or legitimate external sources.
• Potential intrusions: Malicious traffic may originate from or be destined for suspicious
or unexpected IP addresses, potentially indicating unauthorized access attempts or
command-and-control communication with malware.

2. Port usage:

• Normal activity: Network traffic typically uses well-known and commonly used ports
associated with standard applications and services (e.g., HTTP, HTTPS, FTP, email).
• Potential intrusions: Malicious traffic may involve the use of uncommon or unusual port
numbers, potentially indicating attempts to bypass security controls or exploit
vulnerabilities in lesser-known services.

3. Traffic volume and patterns:

• Normal activity: Network traffic volumes and patterns are generally consistent with
typical usage patterns and business operations.
• Potential intrusions: Sudden and significant increases in traffic volume, especially during
off-hours or from unexpected sources, may indicate automated scanning, brute-force
attacks, or data exfiltration attempts.

4. Protocol behavior:

• Normal activity: Network traffic adheres to the expected behavior and specifications of
the protocols used, such as proper handshaking, packet sequencing, and error handling.

2
 • Potential intrusions: Malicious traffic may exhibit anomalous protocol behavior, such as
incorrect packet ordering, invalid flags, or protocol violations, which could indicate
attempts to exploit vulnerabilities or evade detection.

5. Encryption and obfuscation:

• Normal activity: Encrypted traffic is typically associated with legitimate applications and
services that employ encryption for security purposes (e.g., HTTPS, VPNs).
• Potential intrusions: Malicious traffic may involve the use of non-standard encryption
methods, potentially indicating attempts to conceal malicious payloads or evade
detection by security controls.
B) Consider factors like source and destination addresses, protocols used, packet size, and
frequency.
1. Source and Destination Addresses: In normal traffic patterns, communication between devices
occurs within established connections, and the source and destination addresses are typically
legitimate and expected. In potential intrusions, malicious traffic may originate from
geographically distant, suspicious or unauthorized IP addresses, or there may be unexpected
traffic directed towards vulnerable or critical systems.
2. Protocols Used: Normal traffic patterns often involve commonly used protocols for legitimate
purposes, such as HTTP for web browsing or SMTP for email communication. Potential intrusions
may involve the use of uncommon protocols using non-standard ports that are not typical for the
network environment, indicating attempts to exploit vulnerabilities or conduct unauthorized
activities.
3. Packet Size: In normal traffic, packet sizes tend to vary depending on the type of communication
and the data being transmitted. However, potential intrusions may exhibit abnormal packet
sizes, such as unusually large packets indicating potential data exfiltration or reconnaissance
otherwise very small packets possibly indicating attempts to evade detection or exploit specific
vulnerabilities
4. Frequency: Normal traffic patterns generally exhibit consistent and predictable patterns of
communication between devices. On the other hand, potential intrusions may generate traffic
with unusual frequency, such as a high volume of connection requests or data transfers, or bursts
of traffic that deviate significantly from the normal hours of activity. Rapid and repeated failed
login attempts can also indicate potential intrusion attempts.
5. Anomalous Behavior: Normal traffic patterns follow expected behavior and conform to
established network protocols and standards. Potential intrusions may involve traffic that
exhibits anomalous behavior, such as unexpected or unauthorized access attempts, unusual port
scanning activities, excessive use of network resources, or communication with known malicious
IP addresses or domains.

C) Provide examples of specific traffic patterns that might indicate suspicious activity.

3
 1. Reconnaissance Activities: Unusual traffic patterns involving activities such as DNS queries for
non-existent domains, network mapping, or vulnerability scanning can indicate reconnaissance
efforts by an attacker gathering information about the network or systems.
2. Data Exfiltration: Large volumes of outbound traffic, particularly during unusual hours or from
unexpected sources, can indicate data exfiltration attempts, where sensitive information is being
extracted from the network or system.
3. Lateral Movement: Unusual traffic patterns between internal systems or networks that are not
typically communicating with each other can indicate lateral movement, where an attacker is
attempting to move within the network after gaining initial access.
4. Distributed Denial of Service (DDoS) Attacks: A sudden and significant increase in traffic volume
from multiple sources targeting a specific system or service can indicate a distributed denial-of-
service (DDoS) attack, where an attacker is attempting to overwhelm and disrupt the targeted
resource.
5. Brute-Force Attacks: Repeated failed login attempts from a single source IP address targeting a
specific service or system can indicate a brute-force attack, where an attacker is attempting to
guess valid credentials through an automated process.

3: Network Traffic Capture and Analysis Tools

A) Discuss two common network traffic capture tools used for network security analysis.
1. Wireshark: Wireshark is a widely used open-source network protocol analyzer. It allows
capturing and dissecting network packets in real-time. Wireshark supports a variety of protocols
and provides detailed information about each packet, including headers, payloads, and
metadata. It offers a rich set of features for filtering, searching, and analyzing captured traffic.
Wireshark is available for multiple platforms, including Windows, macOS, and Linux.
2. tcpdump: tcpdump is a command-line packet capture tool available on Unix-like systems,
including Linux and macOS. It captures network traffic at the packet level and provides a textual
representation of the captured packets. tcpdump offers extensive filtering capabilities to capture
specific types of traffic based on various criteria such as source/destination IP addresses, ports,
protocols, or packet content. It is often used in conjunction with other command-line tools for
further analysis.

B) Explain the functionalities of these tools (e.g., capturing packets, filtering traffic,
analyzing logs).
1. Capturing Packets: Both Wireshark and tcpdump allow users to capture network packets from a
specific network interface. They can record packets in real-time or save them to a file for offline
analysis. This capability enables security analysts to collect network traffic data for further
analysis and investigation.
2. Filtering Traffic: Wireshark and tcpdump provide powerful filtering capabilities to focus on
specific traffic of interest. Users can apply filters based on various criteria, such as IP addresses,
ports, protocols, packet contents, or time ranges. Filtering helps in reducing the amount of
captured data and allows analysts to concentrate on specific network events or types of traffic
relevant to their analysis.

4
 3. Analyzing Logs: Both tools provide detailed packet-level information, allowing analysts to dissect
and analyze network traffic. They display packet headers, payloads, and metadata, enabling the
examination of individual packets for troubleshooting, identifying anomalies, or understanding
network behavior. Analysts can inspect protocols, detect abnormalities, and identify potential
security threats or vulnerabilities.

C) Briefly mention the concept of network traffic visualization tools and their benefits.
These tools present captured network traffic data in a graphical or visual format, making it
easier to understand and interpret complex network patterns. These tools typically utilize
charts, graphs, maps, or diagrams to represent network traffic flows, connections, and other
relevant information. Benefits of network traffic visualization tools include:
1. Simplified Analysis: Visualization tools provide a visual representation of network traffic,
simplifying the understanding of complex network behaviors. They can highlight patterns,
trends, and anomalies that may not be immediately apparent in raw packet data.
2. Real-Time Monitoring: Visualization tools can display network traffic in real-time, allowing
security analysts to monitor ongoing network activities and quickly identify any unexpected or
suspicious behavior. Real-time visualization provides immediate feedback and enhances
situational awareness.
3. Traffic Flow Analysis: By visualizing network traffic flows, these tools can help identify
bottlenecks, congestion points, or inefficient network paths. This information is valuable for
optimizing network performance, detecting abnormalities, and identifying potential security
risks.
4. Historical Analysis: Visualization tools often provide the ability to analyze historical network
traffic data. By visualizing trends and patterns over time, analysts can gain insights into long-
term network behavior, identify recurring security incidents, or detect changes in traffic patterns
that may indicate evolving threats.

PART 2:

5
1: Intrusion Detection Strategy

Traffic Capture and Filtering

For a small business with a limited IT budget, the most cost-effective approach to traffic capture and
filtering would be to deploy a network tap or mirror port on the gateway router or firewall. This
approach allows us to capture and analyze all network traffic entering and leaving the network
without introducing a dedicated appliance or sensor, which can be costly.

Network taps are hardware devices that provide a copy of the network traffic to a monitoring
system without affecting the original traffic flow. Mirror ports, also known as SPAN (Switched Port
Analyzer) ports, are software-based features available on most modern network switches and
routers that allow you to mirror or copy traffic from one or more ports to another port for
monitoring purposes.

Once the network traffic is captured, we can use open-source tools like Wireshark or tcpdump to
filter and analyze the traffic based on specific criteria, such as IP addresses, ports, protocols, or
payload patterns. These tools allow us to filter out irrelevant traffic and focus on the data that is
relevant for intrusion detection.

Signature-based Detection

Signature-based detection involves using predefined patterns or signatures to identify known

malicious traffic. These signatures are typically derived from previously identified attacks, exploits,
or malware.

For a small business with limited resources, we can leverage open-source intrusion detection
systems (IDS) like Snort or Suricata. These tools come with a vast collection of pre-defined
signatures maintained by their respective communities, covering a wide range of threats and attack
vectors.

While maintaining and updating the signature database can be a challenge, both Snort and Suricata
offer automatic updates and integration with third-party threat intelligence feeds, which can help
keep the signature database up-to-date with minimal manual intervention.

Anomaly Detection

Anomaly detection focuses on identifying deviations from the established baseline of normal
network activity. This approach is particularly useful for detecting zero-day attacks or previously
unknown threats that may not have predefined signatures.

For a small business environment, we can leverage network behavior analysis tools like Zeek
(formerly known as Bro) or Security Onion. These tools can establish a baseline of normal network
activity by analyzing various traffic patterns, such as protocol distributions, byte counts, connection
rates, and other statistical metrics.

6
 Once the baseline is established, these tools can detect anomalies by comparing real-time traffic
patterns against the baseline. Any significant deviations from the baseline can be flagged as
potential threats, prompting further investigation.

Alerting and Response

Upon identifying suspicious traffic patterns or potential threats, it is crucial to have a well-defined
alerting and response plan in place.

For alerting, we can leverage the built-in alerting capabilities of the intrusion detection tools
mentioned above. These tools typically support various alerting mechanisms, such as email
notifications, syslog integration, or integration with security information and event management
(SIEM) solutions.

In the case of a small business with limited resources, email notifications or syslog integration might
be the most practical options. We can configure the intrusion detection tools to send alerts to a
designated email address or centralized log management system for further analysis and triage.

Regarding initial response actions, it is essential to have a documented incident response plan that
outlines the steps to be taken upon receiving an alert. This plan should include:

1. Triage and Verification: Quickly assess the alert to determine its severity and validity,
eliminating false positives.
2. Containment: If the threat is confirmed, take immediate steps to contain the threat, such as
isolating affected systems or blocking malicious IP addresses or domains.
3. Investigation: Conduct a thorough investigation to understand the scope and impact of the
incident, as well as identify the root cause.
4. Remediation: Based on the investigation findings, implement appropriate remediation
measures, such as patching vulnerable systems, resetting compromised credentials, or
deploying additional security controls.
5. Documentation and Reporting: Thoroughly document the incident, including the actions
taken, lessons learned, and recommendations for future prevention.

7
Report on Intrusion Detection Strategy for Small Businesses

8
Introduction
Importance of Intrusion Detection for Small Businesses
Small businesses are often the targets for cyber-attacks, as they usually have limited resources or may
not have the same level of security measures in place as larger enterprises. Effective intrusion detection
systems are crucial for small businesses to protect their networks, data, and critical infrastructure from
various threats.

Implementing a comprehensive intrusion detection strategy, tailored to the specific needs and
constraints of a small business, can significantly enhance its overall security posture and its resilience
against a wide range of cyber threats.

Objective
The objectives of this report aim to help an existing small business with a comprehensive roadmap for
enhancing their overall cybersecurity posture by deploying tailored detection and response strategy.

Network Traffic Analysis

Network traffic analysis for small businesses will involve monitoring, capturing and examining the data
flowing through the businesses network. The areas concentrated on include:

• Identifying normal network activity patterns

• Detecting suspicious network activities
• Optimizing network performance and resource utilization
• Ensuring compliance with relevant regulations and standards

Establishing a baseline of normal network traffic is to be done to create a reference point for identifying
deviations and anomalies that may indicate security breaches or malicious activities.

By understanding what constitutes "normal" for the business network, then one can effectively
distinguish between legitimate and suspicious traffic patterns, allowing them to focus their efforts on
potential threats and anomalies.

Suspicious network behavior should be picked up as it is essential for or identifying potential security
threats, such as unauthorized access attempts, malware infections, data breaches, or insider threats.

By proactively monitoring network activity and implementing appropriate measures, small businesses
can enhance their security posture and minimize the risk of costly security incidents.

Optimizing the network performance for small businesses shall extend benefits such as enhanced
productivity, improved user experience and associated cost savings.

9
Key aspects of the network traffic analysis include:

Data capture: Collecting network traffic data using tools such as network taps, port mirroring, or
packet capture software.

Traffic classification: Identifying the types of network protocols, applications, and services being
used.

Pattern recognition: Detecting and analyzing recurring trends, anomalies, and deviations in
network traffic.

Threat detection: Identifying and investigating potential security incidents, such as

unauthorized access attempts, malware infections, or data exfiltration.

Performance optimization: Analyzing network traffic to identify and address performance

bottlenecks, bandwidth utilization, and resource consumption issues.

Normal and Malicious Traffic

Identification of normal and malicious traffic for small businesses can enhance their network security
posture and protect their valuable assets.

Key differences between normal and malicious network traffic include:

Source and Destination Addresses:

a. Legitimate vs. Suspicious or Known Malicious IP Addresses: Normal network traffic typically
originates from and connects to legitimate IP addresses associated with trusted entities. Malicious
traffic, on the other hand, may involve connections with suspicious or known malicious IP addresses,
which may be associated with botnets, command-and-control servers, or malicious actors.

b. Geolocation and Reputation of IP Addresses: Geolocation and reputation play a significant role in
distinguishing between normal and malicious traffic. Legitimate network traffic often involves
connections with IP addresses associated with reputable organizations and known geographic locations.
Conversely, malicious traffic may originate from IP addresses with a poor reputation or geolocation
mismatches, indicating potential malicious intent.

Protocols Used:
a. Common Business-Related Protocols vs. Unusual or Unauthorized Protocols: Normal network traffic
predominantly utilizes common, business-related protocols such as HTTP, HTTPS, DNS, or SMTP.
Malicious traffic, however, may employ unusual or unauthorized protocols that are not typically
associated with legitimate business operations. Examples include protocols commonly used by malware
or hacking tools such as FTP, Telnet, or SSH.

b. Protocols Associated with Known Malware or Hacking Tools: Certain protocols are frequently
exploited by malicious actors. Identifying the use of protocols associated with known malware or
hacking tools, such as RDP (Remote Desktop Protocol) or SMB (Server Message Block), can indicate
potential malicious activity within the network.

10
Packet Size:
a. Typical Packet Sizes for Legitimate Applications: Normal network traffic generally exhibits packet
sizes that align with the requirements of legitimate applications and protocols. Understanding the
expected packet sizes for commonly used applications within the organization helps establish a baseline
for normal traffic patterns.

b. Abnormally Small or Large Packet Sizes as Indicators of Malicious Activity: Malicious network traffic
may deviate from the expected packet sizes, exhibiting abnormally small or large packet sizes. Unusually
small packets may suggest attempts to evade detection or exploit vulnerabilities, while oversized
packets can indicate potential data exfiltration or network scanning activities.

Frequency and Timing of Connections:

a. Consistent, Predictable Traffic Patterns vs. Sudden Spikes or Irregular Activity: Normal network
traffic often follows consistent and predictable patterns. It exhibits regular intervals of connection and
data transfer based on the organization's operational requirements. Malicious traffic, however, may
display sudden spikes in connection attempts or irregular activity that deviates from established
patterns, indicating potential scanning, brute-force attacks, or botnet activity.

b. Unusual or Out-of-Hours Network Activity: Network traffic occurring outside normal business hours
or outside the expected operational windows may warrant further investigation. Such activity may
signify unauthorized access attempts, data exfiltration, or other malicious actions that take advantage of
reduced monitoring or security controls during non-business hours.

Network Traffic Capture & Analysis

Network traffic capture involves collecting data for analysis without interrupting the flow of information.
To effectively capture and filter network traffic for a small business, a network tap or mirror port on the
gateway router or firewall. This approach allows us to capture and analyze all network traffic entering
and leaving the network without introducing a dedicated appliance or sensor, which can be costly.

Proper placement of passive network taps is crucial to capture relevant data. They should be
strategically positioned at key points in the network infrastructure to ensure comprehensive visibility
into the traffic. Placement considerations include identifying critical network segments, such as
ingress/egress points or key network switches, where capturing traffic can provide valuable insights.

Network taps will provide a copy of the network traffic to a monitoring system without affecting the
original traffic flow. Mirror ports, are software-based features available on most modern network
switches and routers that can be leveraged to allow for mirroring or copying the traffic from one or
more ports to another port for monitoring purposes.

Once the network traffic is captured, the small business can use open-source tools like Wireshark or
tcpdump to filter and analyze the traffic based on specific criteria, such as IP addresses, ports, protocols,
or payload patterns. These tools allow one to filter out irrelevant traffic and focus on the data that is
relevant for intrusion detection.

11
High Level Overview

• Network traffic capture involves collecting data for analysis without interrupting the flow of
information.
• Passive network taps allow non-intrusive data collection by monitoring traffic as it passes
through the network.
• Proper placement of passive network taps is important for capturing relevant data and should
focus on critical network segments.
• SPAN ports on switches enable the mirroring of network traffic to a monitoring port without
disrupting the network flow.
• SPAN ports offer convenience but have limitations, such as potential oversubscription and
restricted port availability.
• Appropriate capture points should be selected to monitor critical network segments where most
traffic flows.
• Balancing cost and coverage is crucial when determining the placement of capture points in the
network.
• Consider consulting network documentation, industry best practices, and engaging with
network security professionals for detailed guidance.

Signature Based Detection

For small businesses, open-source intrusion detection systems (IDS) like Snort and Suricata offer cost-
effective solutions for signature-based detection. These tools come with a vast collection of pre-defined
signatures maintained by their respective communities, covering a wide range of threats and attack
vectors.

Snort
Snort is a widely adopted open-source network intrusion detection and prevention system (IDS/IPS). It is
capable of performing real-time traffic analysis, packet logging, and content matching using predefined
rules. Snort's rule-based detection engine allows for the identification of various types of attacks,
including buffer overflows, stealth port scans, CGI attacks, and more.

Suricata
Suricata is another popular open-source IDS/IPS that offers advanced intrusion detection and prevention
capabilities. It is known for its multi-threaded architecture, enabling high-performance network traffic
inspection and signature matching.

Anomaly Detection
Anomaly detection focuses on identifying deviations from the established baseline of normal network
activity. This approach is particularly useful for detecting zero-day attacks, advanced persistent threats
(APTs), or previously unknown threats that may not have predefined signatures. By establishing a
comprehensive understanding of normal network behavior, anomaly detection systems can identify
anomalous patterns that deviate from the expected norm, indicating potential security incidents or
compromises.

12
Anomaly Detection Best Practices

To effectively implement anomaly detection in a small business environment, it is essential to follow

best practices and continuously refine the process:

1. Establish a Solid Baseline: Ensure that the baseline of normal network activity is accurately
established by monitoring traffic patterns over an extended period and accounting for regular
business operations and usage patterns.
2. Customize and Tune Detection Rules: Leverage the scripting capabilities of tools like Zeek to
customize and fine-tune anomaly detection rules based on your organization's specific network
environment and security requirements.
3. Integrate with Threat Intelligence: Incorporate threat intelligence feeds and indicators of
compromise (IoCs) into your anomaly detection system to enhance its ability to identify
potential threats and correlate events.
4. Continuously Monitor and Refine: Continuously monitor the performance and effectiveness of
your anomaly detection system, and refine it as needed based on feedback, false positives, and
new threat patterns.
5. Implement Robust Alerting and Response: Establish a well-defined alerting and response plan
to promptly investigate and address detected anomalies, minimizing the potential impact of
security incidents.
6. Train and Educate Personnel: Ensure that your IT and security personnel are properly trained in
using and interpreting the outputs of your anomaly detection system, enabling effective
incident response and threat mitigation.

Conclusion
While implementing a comprehensive intrusion detection strategy can be challenging for a small
business with limited resources, the approach outlined above leverages open-source tools and cost-
effective techniques to provide a basic level of network traffic monitoring and intrusion detection. By
combining traffic capture and filtering, signature-based detection, anomaly detection, and a well-
defined alerting and response plan, a small business can enhance its overall security posture and better
protect its network and systems from potential threats.

13