In my journey to get my skills up to date I have been researching methods for traffic analysis besides packet capture analysis. There are other methods wich are more affordable such as statistical traffic analysis. All packets traversing the network can be logged and recorded without storing the content. The amount of storage needed to store traffic flow is considerably less than when capturing the traffic content. It also allows to store that information for a longer time and therefore use it as a non-repudiation tool.
Typicall when performing statistical traffic flow analysis we will be storing source and destination IP address, source and destination port, protocol, day, time and the number of data transferred. This will provide a good visibility into the network and it also provides a way for indentifying potential targest for content analysis and investigation.
Statistical traffic analysis can help,
- Detecting compromise hosts
- Proving or disproving data exfiltration
- Profiling behaviour
There is more to this subject but I will not get into details with the architecture and deployment of these sort of solutions however I want to introduce etherape.
This tool will allow you to get an quick understanding of the behaviour of your network. Through visual statistical analysis you can basically understand how your network is behaving. It is a tool that have been there for some time but today I realised the potential it has when trying to detect an instrusion or analyzing malware.
Install the application is pretty easy and to deploy it you have different options. You can choose to simply install the application in the endpoint and visually see the traffic flow of that particular endpoint with the rest of the network.
Other potentiall scenario is to deploy the tool in the last hop before going out of your network and as a choke point analyse all the traffic that goes in and out of that network.
In these 2 previous scenarios a good baseline will help to detect unauthorized traffic within the network. The sort of elements too look up are IP addresses, Ports, Protocols, Directionality and Volume of traffic transferred.
The last scenario and probably the more useful for my future research will be to install the tool in the endpoint while doing malware analysis. This will quickly allow the researcher to understand the piece of malware and its activity with the network. It is always quicker than firing up wireshark and inspecting the traffic flow for an initial malware triage.
There are other alternatives such as,
To finish I want to highlight that statictical traffic analysis can be used also in the opposite direction. Rather than be used to defend the organization it can be used to attack the privacy of organizations and individuals. Projects such as Tor (https://www.torproject.org/) at least when it was designed can be used to defeat statistical traffic analysis.