Traffic Analysis Essentials — SOC Level 1 -Network Security and Traffic Analysis— TryHackMe Walkthrough & Insights

Learn Network Security and Traffic Analysis foundations and take a step into probing network anomalies.

Room URL: https://tryhackme.com/r/room/trafficanalysisessentials

Task 1 Introduction

Network Security is a set of operations for protecting data, applications, devices and systems connected to the network. It is accepted as one of the significant subdomains of cyber security. It focuses on the system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis (often called Network Traffic Analysis) is a subdomain of the Network Security domain, and its primary focus is investigating the network data to identify problems and anomalies.

This room will cover the foundations of Network Security and Traffic analysis and introduce the essential concepts of these disciplines to help you step into Traffic/Packet Analysis. We suggest completing the “Network Fundamentals” module before starting working in this room.

Answer the questions below

Read the task above.

Task 2 Network Security and Network Data

Network Security

The essential concern of Network Security focuses on two core concepts: authentication and authorisation. There are a variety of tools, technologies, and approaches to ensure and measure implementations of these two key concepts and go beyond to provide continuity and reliability. Network security operations contain three base control levels to ensure the maximum available security management.

Base Network Security Control Levels:

There are two main approaches and multiple elements under these control levels. The most common elements used in network security operations are explained below.

The main approaches:

The key elements of Access Control:

Typical Network Security Management Operation is explained in the given table:

Managed Security Services

Not every organisation has enough resources to create dedicated groups for specific security domains. There are plenty of reasons for this: budget, employee skillset, and organisation size could determine how security operations are handled. At this point, Managed Security Services (MSS) come up to fulfil the required effort to ensure/enhance security needs. MSS are services that have been outsourced to service providers. These service providers are called Managed Security Service Providers (MSSPs). Today, most MSS are time and cost effective, can be conducted in-house or outsourced, are easy to engage, and ease the management process. There are various elements of MSS, and the most common ones are explained below.

Answer the questions below

2.1 Which Security Control Level covers contain creating security policies?

Administrative controls are rules and procedures that help keep the network safe. Think of them like written instructions or guidelines for how people should behave and how systems should be managed.

Think of Administrative controls like the rules and guidelines in an organization. Just like a school has rules about behavior and attendance, Administrative security controls create the policies that everyone in an organization must follow. For example, these policies might include:

• How strong your password needs to be
• Who can access which parts of the network
• What security procedures to follow It’s called “Administrative” because it involves managing and creating these rules, rather than physical security (like locks) or technical security (like firewalls).

Answer: Administrative

2.2 Which Access Control element works with data metrics to manage data flow?

Answer: Load Balancing

Load Balancing is like a traffic controller for data. Imagine you’re at a grocery store with multiple checkout lines. When one line gets too long, a store manager might direct people to other lines to make things move faster. Load Balancing does the same thing with network traffic:

• It watches how busy different servers or resources are
• It measures (using metrics) how much work each part of the system is doing
• It then distributes the work evenly to prevent any one part from becoming overwhelmed This helps everything run smoothly and efficiently.

2.3 Which technology helps correlate different tool outputs and data sources?

SOAR (Security Orchestration Automation and Response) is like a super-smart coordinator. Imagine you’re cooking a complex meal and need to coordinate between:

• Following multiple recipes
• Using different kitchen tools
• Getting help from other people SOAR does something similar but for security:
• It takes information from different security tools
• Coordinates between different teams and systems
• Automates repetitive tasks
• Helps respond to security problems faster It’s like having an assistant that helps all your security tools and teams work together better.

Answer: SOAR

Task 3 Traffic Analysis

Traffic Analysis / Network Traffic Analysis

Traffic Analysis is a method of intercepting, recording/monitoring, and analysing network data and communication patterns to detect and respond to system health issues, network anomalies, and threats. The network is a rich data source, so traffic analysis is useful for security and operational matters. The operational issues cover system availability checks and measuring performance, and the security issues cover anomaly and suspicious activity detection on the network.

Traffic analysis is one of the essential approaches used in network security, and it is part of multiple disciplines of network security operations listed below:

• Network Sniffing and Packet Analysis (Covered in Wireshark room)
• Network Monitoring (Covered in Zeek room)
• Intrusion Detection and Prevention (Covered in Snort room)
• Network Forensics (Covered in NetworkMiner room)
• Threat Hunting (Covered in Brim room)

There are two main techniques used in Traffic Analysis:

Flow Analysis Packet Analysis

Flow Analysis

Collecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.

• Advantage: Easy to collect and analyse.
• Challenge: Doesn’t provide full packet details to get the root cause of a case.

Packet Analysis

Collecting all available network data. Applying in-depth packet-level investigation (often called Deep Packet Inspection (DPI) ) to detect and block anomalous and malicious packets.

• Advantage: Provides full packet details to get the root cause of a case.
• Challenge: Requires time and skillset to analyse.

Benefits of the Traffic Analysis:

• Provides full network visibility.
• Helps comprehensive baselining for asset tracking.
• Helps to detect/respond to anomalies and threats.

Does the Traffic Analysis Still Matter?

The widespread usage of security tools/services and an increasing shift to cloud computing force attackers to modify their tactics and techniques to avoid detection. Network data is a pure and rich data source. Even if it is encoded/encrypted, it still provides a value by pointing to an odd, weird or unexpected pattern/situation. Therefore traffic analysis is still a must-to-have skill for any security analyst who wants to detect and respond to advanced threats.

Now you know what Traffic Analysis is and how it operates. Now use the static site to simulate a traffic analysis operation and find the flags.

Identifying and Filtering Malicious IP

From the IDS/IPS System Table:

Look for entries that indicate malicious behavior, such as:

1. Multiple Login Attempts (10.10.99.99)

2. Bad Traffic (10.10.99.62)

These IPs are flagged as malicious by the system.

The malicious IPs for Level-1 are 10.10.99.99 and 10.10.99.62.

Review the “Traffic Analyzer” Data:

Look at the ports in use and cross-reference with the behavior of each IP from the IDS/IPS System Table.

Identify ports that are commonly used in malicious activities or appear anomalous.

Focus on the Following Patterns:

Port 4444: Associated with behaviors or tools known for exploitation (Metasploit).

Port 7777: Uncommon and often linked to custom or malicious backdoors.

Port 2222: Frequently used in patterns that suggest malicious activity ( as an alternative for SSH).

Suspicious Ports for Blocking:

From the data:

4444 (seen with 10.10.99.99)

7777 (seen with 10.10.99.199)

2222 (seen with 10.10.99.199)

The three destination ports to block are:

1. 4444

2. 7777

3. 2222

Answer the questions below

3.1 Level-1 is simulating the identification and filtering of malicious IP addresses.

What is the flag? (Question Hint Red dots represent malicious packets!)

Answer: THM{PACKET_MASTER}

3.3 Level-2 is simulating the identification and filtering of malicious IP and Port addresses.

What is the flag? (Question Hint Are they any suspicious ports? A quick search can help if you don’t recognise the used ports. Any recurring numbers in ports?)

Answer: THM{DETECTION_MASTER}

Task 4 Conclusion

Congratulations! You just finished the “Traffic Analysis Essentials” room.

In this room, we covered the foundations of the network security and traffic analysis concepts:

• Network Security Operations
• Network Traffic Analysis

Now, you are ready to complete the “Network Security and Traffic Analysis” module.

Answer the questions below

Read the task above.

Summary of What Was Learned

In the “Traffic Analysis Essentials” room, we explored key concepts in network security and traffic analysis. Here’s what we covered:

1. Network Security Basics:

Authentication and authorization are the foundation of secure networks. These ensure only authorized users and devices can access the network.

Different levels of security controls were introduced:

Administrative controls: Policies and procedures like password rules and access levels.

Technical controls: Tools like firewalls, intrusion detection systems, and load balancing.

Physical controls: Protecting physical access to devices and servers.

2. Traffic Analysis Techniques:

Flow Analysis: A quick way to summarize network traffic data and detect anomalies using patterns.

Packet Analysis: A deeper inspection of network data, often used to find the root cause of suspicious activity or detect hidden threats.

3. Practical Applications:

Identifying malicious IP addresses and suspicious ports using tools and behavioral patterns.

Recognizing common signs of threats, such as:

Unusual login attempts (Multiple Login Attempts).

Malicious ports like 4444 (backdoors) and 7777 (custom malware).

Key Insights and Takeaways

1. Traffic Analysis is Crucial:
   It helps identify and stop malicious activity before it can harm the network. Even in encrypted environments, traffic analysis can reveal anomalies, such as unexpected patterns or odd data flows.
2. Continuous Monitoring is Essential:
   Networks are constantly targeted by attackers, and analyzing data in real-time can prevent breaches. Tools like IDS/IPS, SIEM, and SOAR are critical to achieving this.

Recommendations

1. Develop Traffic Analysis Skills:
   Learn to identify anomalies, suspicious IPs, and unusual ports. Master tools like Wireshark and Zeek for practical packet analysis.
2. Adopt Layered Security:
   Combine technical, administrative, and physical controls for comprehensive protection. Use firewalls, VPNs, and strong policies together.
3. Stay Updated:
   Attackers evolve their techniques regularly. Keep up with trends in malware, threat hunting, and detection tools to stay one step ahead.

Final Thought

Network traffic is like the bloodstream of an organization — analyzing it regularly ensures the health of your systems and keeps threats at bay. It’s a critical skill for any aspiring security professional!