Overview

Learn about the tools and techniques used for analyzing traffic passing over the network. This learning path covers identification and analysis of benign and malicious traffic, examples and case studies of extracting intelligence from traffic data, considerations when building a network monitoring program, and techniques for collecting and analyzing traffic data.

Syllabus

Introduction to network traffic analysis

Start out on this course by taking a look at what network traffic analysis is and some of its major applications. This introductory module describes network traffic analysis and discusses its applications for monitoring the functionality of networked systems and performing incident response investigations.

Fundamentals of networking

In order to identify anomalous or malicious traffic in a network, it’s necessary to first understand what’s normal. This module discusses the fundamentals of networking, including the OSI model, the differences between TCP, UDP and ICMP and their intended uses, and the purposes of common high-level protocols like HTTP and SMTP.

Hands-on traffic analysis in Wireshark

Wireshark is probably the most commonly used tool for network traffic analysis and will be used throughout this learning path. This module introduces some of the useful features of Wireshark and shows what the protocols discussed in the previous course look like in practice and how the various layers work together to make networking possible.

Alternatives to Wireshark

Wireshark is probably the most popular tool for network traffic analysis. However, it is not the only one available. This module provides an introduction to some alternatives to Wireshark, covering some of the most useful and unique features of Terminal Shark (Wireshark’s command-line equivalent), CloudShark and NetworkMiner.

Network traffic intelligence collection

A common use of network traffic analysis is for performing incident response activities. The purpose of these actions is to extract useful intelligence from network captures that can help to inform the rest of the investigation. This module demonstrates how to extract certain types of useful data from a network capture file.

Common network threats

An organization can be attacked over the network in a variety of different ways. However, some methods are more common than others. In this module, you will see what scanning, data exfiltration, DDoS attacks and attacks against IoT devices look like in a network capture in a series of demonstrations.

Traffic analysis case studies

Different types of incident response investigations lend themselves to network-based analysis to different degrees. This module consists of a series of demonstrations where analysis of network traffic is used to infer information about different types of malware, including remote access Trojans (RATs), fileless malware, network worms and multi-stage infections.

Data collection for network traffic analysis

In order to investigate a network traffic capture, it is first necessary to capture it. This module discusses methods and considerations for data collection of network traffic. Topics include considerations for deployment of monitoring appliances and the use of virtualization and deception for data collection.

Data analysis for network traffic analysis

Having access to network traffic data is of very limited value without the ability to analyze it. In this module, you will learn about connection-based analysis, statistical analysis and event-based analysis, their relative pros and cons for different monitoring situations, and tools and techniques for performing them effectively.

Network traffic analysis for incident response project

In this project, you will need to apply your knowledge and use common network traffic analysis tools to solve multiple challenges. Each challenge involves examining a network traffic capture file containing evidence of malicious activity, such as malware infection, data exfiltration and C2 (command-and-control) communications. You’ll need to find leaked credentials, analyze an attempted DDoS attack, extract files from captures and even more.