Traffic Analysis: TryHackMe notes

Going through TryHackMe’s SAL level 1, I decided to keep track of my personal notes and try to explain the concepts in my own words - it pushes me to think and not just speedrun the room.

1. What is network security?

Network security is one of the main subdomains of cybersecurity and its goal is to provide accessibility (availability), integrity, continuity, and reliability of the network. It refers to actions for protecting data, applications, devices, and systems within the network. Thus, the system design, operation, and management of the architecture and infrastructure are central when it comes to network security.

2. What is traffic analysis?

Traffic analysis is part of network security operations. It mainly refers to investigating the network data to ensure that problems and other anomalies are identified.

3. What’s exactly behind network security?

Two questions (concepts) are at the heart of network security: who can access (authentication) and what can they access (authorisation). There are many ways to ensure this security management, but let’s break it down into three security control levels, two main approaches and their respective key elements.

3.1 Security control levels:

• Physical: refers to the authorisation of physical access to devices and all network components, even locks. If the network were a real-world building, this would be like controlling who can enter it and where they can go in the building. Think of it like when the third-floor corridor in Hogwarts was forbidden for students.

• Technical: this is the data security control – it prevents unauthorized access via security levels and tunnels. It’s just like the obstacles in the underground chambers after the third-floor corridor in Harry Potter and the Philosopher’s Stone.

• Administrative: this level ensures the creation of security policies, access levels, and authentication processes. For example, you can’t apparate in or out of Hogwarts.

3.2 Main approaches:

• Access Control: all controls related to authentication and authorisation processes.

• Threat Control: detecting and preventing anomalies on the network – both on internal and external probes.

3.3 Access Control – key elements:

• Firewall Protection: we have to set rules first and then the firewall protects the incoming and outgoing traffic – just like a real door that controls who enters and exits the building.

• Network Access Control (NAC): verifies that the device is suitable and compliant with the defined profile before connecting to the network.

• Identity and Access Management (IAM): verifies and manages the user’s identity before they connect and access data and resources over the network.

• Load Balancing: in order to optimize data processing flow, it manages and distributes resource usage.

• Network Segmentation: Creates and controls network ranges and segmentation to isolate users' access levels, group assets with common functionalities, and improve the protection of sensitive/internal devices/data in a safer network.

• Virtual Private Networks (VPN): ensures encrypted communication over the network.

• Zero Trust Model: access and permissions at a minimum level (“never trust, always verify”).

3.4 Threat Control – key elements:

• Intrusion Detection and Prevention (IDS/IPS): inspects the traffic and creates alerts (IDS) or resets the connection (IPS) if anomalies are detected.

• Data Loss Prevention (DLP): also inspects the traffic but it acts by preventing the extraction of sensitive data.

• Endpoint Protection: through encryption, antivirus, antimalware, DLP, and IDS/IPS (what is called a multi-layered approach), it protects endpoints and appliances connected to the network.

• Cloud Security: uses countermeasures (such as a VPN) to protect cloud-based services from various threats.

• Security Information and Event Management (SIEM): technology that helps threat detection, compliance, and security incident management through available logs and traffic statistics by using event and context analysis to identify anomalies, threats, and vulnerabilities.

• Security Orchestration Automation and Response (SOAR): technology that helps coordinate and automate tasks between various people, tools, and data within a single platform to identify anomalies, threats, and vulnerabilities. It also supports vulnerability management, incident response, and security operations.

• Network Traffic Analysis & Network Detection and Response: inspecting network traffic or traffic capture to identify anomalies and threats.

4. What are Managed Security Services?

Managed Security Services (MSS) are security services provided by third-party companies (MSSP – ‘P’ stands for ‘provider’) for when a company can’t afford to have an internal security service (for example, for financial reasons). MSSPs are often time- and cost-effective. Here are some of the various actions MSSPs provide:

• Penetration testing: simulating attacker techniques to test network security and spot a breach.

• Vulnerability assessment: searching for and analysing vulnerabilities in the environment.

• Incident response: an organised approach to addressing and managing a security breach (i.e., identify, contain, and eliminate incidents).

• Behavioural analysis: another organised approach used for creating baselines and traffic profiles for specific patterns to detect anomalies, threats, vulnerabilities, and attacks; it’s based on system and user behaviours.

5. What’s exactly behind traffic analysis?

Every network contains tons of data that can be used for operational and security issues. Operational issues refer to system availability checks and measuring performance and security issues refer to anomaly and suspicious activity detection. Analysing the network data is called traffic analysis. It includes intercepting, recording and/or monitoring, and analysing the said network data and communication patterns.

There are two main approaches to traffic analysis:

• Flow analysis: an easy way to collect and analyse data from devices in order to provide statistical results. However, this approach makes it difficult to identify the root cause of a problem.

• Packet analysis: an in-depth packet investigation that allows the identification of the root cause as well as to detect and block anomalous and malicious packets. However, it’s not time-effective and requires a better skill set.

Other than detecting and responding to anomalies and threats, traffic analysis allows better visibility of the network and optimizes the process of baselining.