A Deep Dive into Intrusion Analysis, Malware Incidents, and Extraction of Forensic Evidence
Buch, Englisch, 462 Seiten, Format (B × H): 178 mm x 254 mm, Gewicht: 895 g
ISBN: 978-1-4842-9290-7
Verlag: Apress
Take a systematic approach at identifying intrusions that range from the most basic to the most sophisticated, using Wireshark, an open source protocol analyzer. This book will show you how to effectively manipulate and monitor different conversations and perform statistical analysis of these conversations to identify the IP and TCP information of interest.
Next, you'll be walked through a review of the different methods malware uses, from inception through the spread across and compromise of a network of machines. The process from the initial “click” through intrusion, the characteristics of Command and Control (C2), and the different types of lateral movement will be detailed at the packet level.
In the final part of the book, you'll explore the network capture file and identification of data for a potential forensics extraction, including inherent capabilities for the extraction of objects such as file data and other corresponding components in support of a forensics investigation.
After completing this book, you will have a complete understanding of the process of carving files from raw PCAP data within the Wireshark tool.What You Will Learn- Use Wireshark to identify intrusions into a network
- Exercise methods to uncover network data even when it is in encrypted form
- Analyze malware Command and Control (C2) communications and identify IOCs
- Extract data in a forensically sound manner to support investigations
- Leverage capture file statistics to reconstruct network events
Zielgruppe
Professional/practitioner
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Chapter 1: Customization of the Wireshark Interface
Chapter Goal: - Learn how to edit the columns of the Wireshark user interface. Explore important items to include in the interface for performing intrusion and malware analysis
No of pages - 18
Sub -Topics
1. Identifying columns to delete from the default displays
2. Adding the source and destination ports for easy traffic analysis
3. Specialty column customization for malware analysis
Intrusions Chapter 2: Capturing Network TrafficChapter Goal: Setup a network capture in Wireshark
No of pages: - 24
Sub - Topics
1. Prerequisites for capturing live network data
2. Working with Network Interfaces
3. Exploring the network capture options
4. Filtering While Capturing
Chapter 3: Interpreting Network ProtocolsChapter Goal: A deep understanding of the network protocols at the packet level
No of pages : 30
Sub - Topics:
1. Investigating IP, the workhorse of the network
2. Analyzing ICMP and UDP3. Dissection of TCP traffic
4. Reassembly of packets
5. Interpreting Name Resolution
Chapter 4: Analysis of Network AttacksChapter Goal: Understand the hacking mindset and leverage that to identify attacks
No of pages: 30
Sub - Topics:
1. Introducing a Hacking Methodology
2. Examination of reconnaissance network traffic artifacts
3. Leveraging the statistical properties of the capture file
4. Identifying SMB based attacks
5. Uncovering HTTP/HTTPS based attack traffic
Chapter 5: Effective Network Traffic FilteringChapter Goal: Use of the complex filtering capability of Wireshark to extract attack data
No of pages: 35
Sub - Topics:
1. Identifying filter components2. Investigating the conversations
3. Extracting the packet data4. Building Filter Expressions
5. Decrypting HTTPS Traffic Chapter 6: Advanced Features of WiresharkChapter Goal: A fundamental review and understanding of the advanced features of Wireshark
No of pages: 35
Sub – Topics:
1. Working with cryptographic information in a packet
2. Exploring the protocol dissectors of Wireshark
3. Viewing logged anomalies in Wireshark4. Capturing traffic from remote computers
5. Command line tool tshark6. Creating Firewall ACL rules
Chapter 7: Scripting and interacting with WiresharkChapter Goal: Using scripts to extract and isolate data of interest from network capture files
No of pages: 30
Sub – Topics:
1. Lua scripting
2. Interaction with Pandas
3. Leveraging PyShark
Malware Chapter 8: Basic Malware Traffic AnalysisChapter Goal: Develop an understanding of the different stages of a malware infection
No of pages: 36
Sub – Topics:
1. Customization of the interface for malware analysis
2. Extracting the files3. Recognizing URL/Domains of an infected site
4. Determining the connections as part of the infected machine
5. Scavenging the infected machine meta data
6. Exporting the data objects
Chapter 9: Analyzing Encoding, Obfuscated and ICS Malware TrafficChapter Goal: Identify the encoding or obfuscated method in network traffic
No of pages: 40
Sub – Topics:
1. Investigation of njRAT
2. Analysis of Wanna Cry
3. Exploring Cryptolocker
4. Dissecting TRITON
5. Examining Trickbot6. Understanding exploit kits
Chapter 10: Dynamic Malware Network ActivitiesChapter Goal: Review and understand malware network activity as it happens
No of pages: 40
Sub – Topics:
1. Setting up network and service simulation2. Monitoring malware communications and connections at run time and beyond
3. Detecting network evasion attempts
4. Investigating Cobalt Strike Beacons
5. Exploring C2 backdoor methods
6. Identifying Domain Generation Algorithms Forensics Chapter 10: Extractions of Forensics Data with WiresharkChapter Goal: Learn different methods of extracting different types of case related and potential forensics evidence
No of pages: 30
Sub – Topics:
1. Interception of telephony data
2. Discovering DOS/DDoS
3. Analysis of HTTP/HTTPS Tunneling over DNS
4. Carving files from network dataChapter 11: Network Traffic Forensics
Chapter Goal: An understanding of extraction of potential forensics data
No of pages: 30
Sub – Topics:
1. Isolation of conversations
2. Detection of Spoofing, port scanning and SSH attacks
3. Reconstruction of timeline network attack data
4. Extracting compromise data Chapter 12: ConclusionChapter Goal: Review and summary of covered content
No of pages: 10
