Monitor network traffic data

SecPro Community Wisdom #2: Monitor network traffic data at work and gather insights into malicious activities


Hello and welcome to the second Community Wisdom  issue of 2022!

Thanks to the fantastic feedback from our last newsletter, we wanted to keep the ball rolling and ask the SecPro community for some more nuggets of wisdom. Remember, SecPro Community Wisdom will arrive in your inbox every first and third Thursday. This brings us a step closer to our mission of being community-led by sharing valuable insights from security professionals and practitioners like yourself with other members.

This was one of the most liked programs from feedback surveys and I’m delighted to be making it real and sharing actionable learning and community wisdom with you.

Austin Miller

Top Questions This Week

1. Red Team/Pentesting

 Q: In developing defences against exploits, how do you evaluate the cybersecurity team’s strengths and weaknesses? And which tools and techniques would you prefer to combat the weaknesses? 

Khairil, Head of Cybersecurity

Team members are required to learn on attack anatomy to understand the root cause. They are then trained to use the tools available to mitigate the risk. Most of the tools are from open source community such as tools comes with Kali Linux and some others build internally. 

Avishek, Data Scientist

There are Red and Blue teams. They defend against advanced cyber attacks. 
Red teams are mostly offensive security professionals who are experts in attacking systems and breaking defenses.
Blue teams are defensive security professionals who maintain internal network defenses against all cyber attacks and threats. Red teams simulate attacks against blue teams to test the effectiveness of the network’s security.
These red and blue team exercises provide a full security solution ensuring strong defenses.

Luca, Security Solutions and Operations

VAPT, Red Team activities and Adversary Simulation can be a good way to test cybersecurity team response capabilities. Integrating MITRE ATT&CK framework in Security processes and leveraging on tools like EDR/NDR/XDR, Adversary Simulation systems, integrated Threat Intelligence tools developed basing on the MITRE framework complete the security arsenal.

2. Incident Response

 Q: How do you monitor network traffic data at work and gather insights into malicious activities? Which tools do you prefer? What sets them apart from other tools?

Avishek, Data Scientist
Choose the correct data source, pick the correct points on the network to monitor and check the flows and packet payloads for suspicious content.

Luca, Security Solutions and Operations
To analyse network traffic I leverage both on network taps and span port to forward sniffed traffic to an NDR and ingest NetFlows in a SIEM.
The first allows for a near real time detection of suspicious activities and supports also network forensic, while the second has the capability to correlate NetFlow information with security events and logs datalake, enabling for deep insights into ongoing activities in the network.

Shiva, Director of Security Operations
We have a network monitoring tool and we monitor device, user and location attributes are collected and we have a machine learning model that helps track unusual activities and behavior that requires investigation as part of zero trust policy.

3. Data Security

Q: Are SAST (Static Application Security Testing) & DAST (Dynamic Application Security Testing) automation tools useful in securing web applications against vulnerabilities?

Avishek, Data Scientist
Static application security testing (SAST) is a white-box testing methodology. There are a number of clear advantages to using SAST over other security analysis approaches:- No need for a running application in order to provide immediate benefit and eliminates the need to build even a partially functioning version of your product.
While Static Application Security Testing offers many benefits, the most significant is its ability to detect issues and mark their precise location, including the file name and line number. For each detected issue, the SAST tool will indicate its severity and offer a brief description.
On the surface, this ability to pinpoint problems may seem trivial, but finding problems is one of the most time-consuming aspects of a developer’s work. Hence it is useful.

Luca, Security Solutions and Operations
I consider SAST and DAST as a foundation for application security. I’ve no direct experience in deploying and running those tools but only in outcome analysis. Anyway, SonarQube and Burp suite are respectively two valuable examples for the two categories.

 Q: Where is the best place to gain hands-on experience to become a SOC (Security operations center) Analyst? How do you go about getting involved in the field?

Khairil, Head of Cybersecurity
The best place is in the job itself. Having oneself to experience anomalies based on report, finding the source and fix it. SOC will help as much as the ability of the staff to understand what happened.

Tobias, DevOps
Udemy. YouTube. eBooks.

Avishek, Data Scientist
Each organization that seeks to hires an SOC analyst will have unique experience requirements for candidates. However, most organizations require that SOC analyst candidates have earned a bachelor’s degree in computer science or another relevant field, as well as at least one year of IT work experience.

 Q: What is the most effective way to break the encryption after a ransomware attack? How would you approach locked files?

Luca, Security Solutions and Operations
In case any description tools have been developed it could be worth trying using them, but the only way is to ensure a proper and complete backup and solid restore capabilities and solutions.
I tend to avoid paying the ransom, first of all to not finance criminal organizations and also because there’s no guarantee of recovering data. Indeed, you risk falling victim to attacks again as good payers.

Avishek, Data Scientist
Identify & Isolate the Infection. Then report to the Authorities. Best is to get rid of the infection. 
A good back up solution is generally used to approach locked files.

Khairil, Head of Cybersecurity
Not much success stories here. We do engange with some tools available by AV vendors using leaked private keys. The locked files usually use to identity important file and tried to recover from the HDD sector or from the cloud backup.

 Q: Although you did not intend to create a virus, the antivirus blocks your program as a “threat”. How do you review your code and find the problem in the code?

Khairil, Head of Cybersecurity
AV usually detect using unique pattern or behaviour of the application. In case of AV detecting on source file, the string usually replaced with non-offence words. For the compiled files, usually it is try and error to remove function call and compiled it again. Some sample files will also be submitted to the AV vendor for evaluation and whitelist.

Luca, Security Solutions and Operations
Basing of the evidence provided by the AV, I look for functions or procedures in the source code which could mimic a threat behaviour. It could also be possible to execute a sandbox analysis in order to find suspicious activities in the code. Then it’s necessary to re-engineer those sections in order to avoid to trigger the AV.

Avishek, Data Scientist
Review the code and debugging is the only solution. The code must adopt to the entire new environment

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.