Blue Teaming

10 min read

What is network traffic analysis? (2024 blue teamer guide)

Understand network traffic analysis, the top NTA tools, and how you can effectively identify anomalies that might signify a breach.

Dimitris avatar

Dimitris,
Jan 30
2024

This post is based on the Hack The Box (HTB) Academy module (or course): Intro to Network Traffic Analysis. The module demystifies NTA and provides hands-on exercises to practice each of the tactics and techniques we cover (including usage of traffic analysis tools such as Wireshark and tcpdump). 

You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy! 

What is network traffic analysis? 

Network traffic analysis (NTA) is the process of monitoring, discovering, and analyzing any potential threats that are accessing or infiltrating the network. By examining network traffic, common ports and protocols are identified, establishing a baseline and making it easier to spot anomalies. 

This is essential for SOC analysts and cybersecurity engineers to understand, stopping any potential anomalies that may signify a breach in their tracks. Being able to take proactive steps to defend your organization’s network before a breach occurs is the responsibility of any successful blue teamer. 

In this post, you’ll learn about indispensable skills and essential tools to analyze network traffic, helping you become a better analyst and a reliable defender of networks!

Importance of network traffic analysis in cybersecurity

In today’s ever-changing threat landscape, it's vital to keep up with the latest trends and best practices in network traffic analysis, adapt to new technologies and methodologies, and enhance skills to better protect your organization from cyber threat

Attackers update their tactics frequently to avoid detection. This makes it challenging for defenders to identify and respond to incidents.It’s why leveraging NTA is incredibly important.

As a blue teamer, your role is to guard the gates of your organization’s network, monitor for suspicious activity, and raise the alarm before a breach gets out of control.

However, red teams should also take the time to learn about NTA, as analyzing traffic can lead to the discovery of vulnerabilities to exploit.

💡Note: We conducted a survey of 400 cybersecurity professionals and found that 18.8% viewed network traffic analysis as the most important skill for SOC analysts, placing it in second place behind incident handling processes (29.5%). 

Foundational skills for network analysis

Fundamental use cases for network traffic analysis include:

  • Collecting: real-time traffic within the network to analyze upcoming threats.

  • Setting: a baseline for day-to-day network communications.

  • Identifying: and analyzing traffic from non-standard ports, suspicious hosts, and issues with networking protocols such as HTTP errors, problems with TCP, or other networking misconfigurations.

  • Detecting: malware on the wire, such as ransomware, exploits, and non-standard interactions.

How to conduct network traffic analysis

The foundations for network analysis include a combination of theoretical and practical skills. Having this expertise under your belt means you’ll know what to look for when something feels unfamiliar:

TCP/IP stack & OSI model

This understanding will ensure we grasp how networking traffic and the host applications interact. The TCP/IP is a practical model which eases communication challenges on the network. OSI model is all-encompassing of various network communication methods. Knowledge of both is key for NTA.

Basic network concepts

Understanding these basic concepts is required to gain knowledge of the individual layers that make up the TCP/IP and OSI model and the concepts of switching and routing.

For example, the OSI model has seven different layers:

  1. Physical layer

  2. Data link layer

  3. Network layer

  4. Transport layer

  5. Session layer

  6. Presentation layer

  7. Application layer

The TCP/IP model is more concise and only features four layers:

  1. Network access layer

  2. Internet layer

  3. Transport layer

  4. Application layer

Common ports and protocols

Quickly identifying standard ports and protocols, along with understanding their communication methods, is crucial for detecting potentially malicious or malformed network traffic.

Here are just a few commonly used ports and protocols to be aware of:

  • Ports 20 and 21: File Transfer Protocol (FTP). Used to transfer files between a client and server

  • Port 22: Secure Shell (SSH). SSH creates secure network connections.

  • Port 25: Simple Mail Transfer Protocol (SMTP), used for email.

  • Port 53: Domain Name System (DNS). DNS enables users to load websites without memorizing a long list of IP addresses.

  • Port 80: Hypertext Transfer Protocol (HTTP). HTTP is the protocol that makes websites possible.

  • Port 123: Network Time Protocol (NTP). NTP allows computer clocks to sync, which is vital for encryption.

  • Port 179: Border Gateway Protocol (BGP). Establishes routes between large internet networks.

  • Port 443: HTTP Secure (HTTPS). HTTPS is the secure version of HTTP. 

  • Port 500: Internet Security Association and Key Management Protocol (ISAKMP).

  • Port 587: SMTP which is secure and uses encryption.

  • Port 3389: Remote Desktop Protocol (RDP). 

Concepts of IP Packets and the Sublayers

Foundational knowledge of how TCP and UDP communicate will, at a minimum, ensure we understand what we see or are searching for. TCP, for example, is stream-oriented and allows us to follow a conversation between hosts easily. UDP is quick but not concerned with completeness, so it would be harder to recreate something from this packet type.

Protocol Transport Encapsulation

When data arrives at different layers, for example, the transport layer, the protocols will begin to encapsulate the data. Each layer will encapsulate the previous. Being able to read or dissect when this encapsulation changes will help us move through data quickly. It is easy to see hints based on encapsulation headers.

Hungry for more? Dive into our NTA module

Learn the technical foundations of network traffic analysis to boost your confidence and defensive capabilities:

  • Network traffic analysis principles.

  • Tcpdump fundamentals.

  • Working with Wireshark.

  • Wireshark filters.

How to analyze network traffic 

How to analyze network traffic
 

Network traffic analysis can vary in complexity. In some instances, you may simply be monitoring the traffic for any suspicious activity. However, in response to a problem or potential incident, we’ll want to connect to the correct network segment before proceeding.

1. Ingest Traffic

Once we have decided on our placement, begin capturing traffic. Utilize capture filters if we already have an idea of what we are looking for.

2. Reduce Noise by Filtering

Capturing traffic of a link, especially one in a production environment, can be extremely noisy. Once we complete the initial capture, an attempt to filter out unnecessary traffic from our view can make analysis easier. (Broadcast and Multicast traffic, for example.)

3. Analyze and Explore

Now is the time to start carving out data pertinent to the issue we are chasing down. Look at specific hosts, protocols, and even things as specific as flags set in the TCP header. The following questions will help us:

  • Is the traffic encrypted or plain text? Should it be?

  • Can we see users attempting to access resources to which they should not have access?

  • Are different hosts talking to each other that typically do not?

4. Detect the Root Issue

Are we seeing any errors? Is a device not responding that should be?

Use our analysis to decide if what we see is benign or potentially malicious.

Other tools like IDS and IPS can come in handy at this point. They can run heuristics and signatures against the traffic to determine if anything within is potentially malicious.

5. Fix and Monitor

Fixing and monitoring are not a part of the loop but should be included in any workflow we perform. If we make a change or fix an issue, we should continue to monitor the source for a time to determine if the issue has been resolved.

 

Network traffic analysts tools to familiarize yourself with

essential network traffic analysis tools
 

The following tools can all be used to conduct NTA. Each provides a different way to capture or dissect the traffic. For example, some may copy and capture whilst others read and digest. Our Intro to Network Traffic Analysis module mainly focuses on Wireshark and tcpdump. Wireshark is a graphical network traffic analyzer that captures and decodes frames. While tcpdump captures and interprets network traffic from a network interface.

For more advanced tools, you can explore our Intermediate Network Traffic Analysis module.

Tool

Description

tcpdump

tcpdump is a command-line utility that, with the aid of LibPcap, captures and interprets network traffic from a network interface or capture file.

Tshark

TShark is a network packet analyzer much like TCPDump. It will capture packets from a live network or read and decode from a file. It is the command-line variant of Wireshark.

Wireshark

Wireshark is a graphical network traffic analyzer. It captures and decodes frames off the wire and allows for an in-depth look into the environment. It can run many different dissectors against the traffic to characterize the protocols and applications and provide insight into what is happening.

NGrep

NGrep is a pattern-matching tool built to serve a similar function as grep for Linux distributions. The big difference is that it works with network traffic packets. NGrep understands how to read live traffic or traffic from a PCAP file and utilize regex expressions and BPF syntax. This tool shines best when used to debug traffic from protocols like HTTP and FTP.

tcpick

tcpick is a command-line packet sniffer that specializes in tracking and reassembling TCP streams. The functionality to read a stream and reassemble it back to a file with tcpick is excellent.

Network Taps

Taps (Gigamon, Niagra-taps) are devices capable of taking copies of network traffic and sending them to another place for analysis. These can be in-line or out of band. They can actively capture and analyze the traffic directly or passively by putting the original packet back on the wire as if nothing had changed.

Networking Span Ports

Span Ports are a way to copy frames from layer two or three networking devices during egress or ingress processing and send them to a collection point. Often a port is mirrored to send those copies to a log server.

Elastic (Packetbeat)

The Elastic Stack is a culmination of tools that can take data from many sources, ingest the data, and visualize it, to enable searching and analysis of it.

 

Tools, technologies, and trends in network traffic analysis

As the technology we use develops, so does our approach to network analysis. The recent emergence of AI has seen organizations using machine learning (ML) to keep an eye on traffic.

pros and cons of AI and ML in NTA
 

The ML algorithms automatically learn from large datasets, enabling them to spot any anomalies or suspicious activity. As more data is fed into the algorithm over time, the more accurate it becomes in its analytical approach.

Emerging technologies such as AI will reconfigure the roles of analysts as repetitive monitoring tasks could be taken over by ML, freeing up room for a focus on other defensive areas.

Another challenge the modern blue teamer faces is the monitoring of multi-cloud networks. With many organizations expanding their network virtually, cybercriminals have a larger attack surface to take advantage of. 

The minimization of network visibility makes an anlysts job harder. This is where the adoption of AI tools can help, as well as using strong access controls that limit access to cloud resources.

Master network traffic analysis

With our modern, fast-paced, intricate network environments, the need to master network traffic analysis is more vital than ever. As our infrastructure grows, it can seem overwhelming to keep track, but this challenge is possible to overcome with the right upskilling. 

At HTB, our Academy modules prepare you with the technical foundations to perform NTA, and become a better defender.

 

Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box

Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level.

Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR.

You can connect with him on LinkedIn here.

 

Hack The Blog

The latest news and updates, direct from Hack The Box