WEBVTT

00:07.220 --> 00:12.470
In this chapter, we're going to cover the various tools and detection methodologies to analyze malicious

00:12.470 --> 00:13.880
activity on your network.

00:13.910 --> 00:19.160
We're going to talk about network scanners, the DNS URL identification tools, strings and of course

00:19.160 --> 00:20.270
hashing utilities.

00:20.300 --> 00:24.980
We're going to demonstrate some different tools and show you how to actually use those tools to run

00:24.980 --> 00:30.170
tests on your own systems or networks to better prepare you for the Cisa exam.

00:30.440 --> 00:35.480
In this episode, we're going to talk about packet captures and how to utilize them to identify different

00:35.480 --> 00:38.120
malware or malicious activity on your network.

00:38.150 --> 00:43.460
Specifically, we're going to use a tool called Wireshark to go through those specific packet captures

00:43.460 --> 00:49.640
and identify the process to look at those different malicious activities that could be utilized by an

00:49.640 --> 00:51.230
attacker on your own network.

00:51.260 --> 00:56.000
While the book covers Tshark as well as Berkeley, we're not going to cover this in this episode as

00:56.000 --> 00:58.340
they're not part of the Cisa requirements.

00:58.340 --> 01:00.530
And honestly, they're kind of outdated.

01:00.560 --> 01:02.090
We really don't use them that often.

01:02.120 --> 01:06.830
Packet capture is the idea of taking information that's crossing through your network and collecting

01:06.830 --> 01:10.220
that information in such a way that it logs everything.

01:10.220 --> 01:15.380
We can see different ports where it's going from from IP address to IP address, and we can look at

01:15.380 --> 01:16.820
it from the reverse perspective.

01:16.820 --> 01:21.440
So not only can you see the packet of information going away from your computer system, you can see

01:21.440 --> 01:22.820
everything coming into it.

01:22.820 --> 01:28.040
You can also view other information across the network depending on where you have your sniffer put

01:28.040 --> 01:28.940
into place.

01:28.940 --> 01:33.890
That means I can sniff information at a switch and see the different aspects of traffic going both from

01:33.890 --> 01:35.840
the switch and away from the switch.

01:35.870 --> 01:41.600
If I have it set up correctly, we call this packet analysis, where we can go through and look at the

01:41.600 --> 01:46.670
different packets of information and trace not only the information that's going from and to it and

01:46.670 --> 01:50.150
from the device, but also the information that's passing through it.

01:50.150 --> 01:55.040
In the next chapter, we're actually going to go through Wireshark and show you how to set up Wireshark.

01:55.040 --> 01:59.990
So it's easier to read and how to identify the different information tidbits that you need to be aware

01:59.990 --> 02:01.890
of to properly read the tool.

02:01.920 --> 02:06.960
Now, obviously we can't go through Wireshark and take 20 hours to go through every single aspect of

02:06.960 --> 02:12.720
it, but our hope is to give you a high level overview of it so that you can identify the basic principles

02:12.720 --> 02:16.260
of how Wireshark functions in order to pass the Cisa exam.

02:16.410 --> 02:19.710
Wireshark is a packet capture and analysis tool.

02:19.710 --> 02:24.630
It allows you to view and capture data as it's moving throughout the network, so that you can actually

02:24.630 --> 02:26.340
view it and see what's going on.

02:26.370 --> 02:30.930
Now, we talked about some of the basic principles of how you can identify IP addresses and where it's

02:30.930 --> 02:36.240
going to, as well as where it's going from, but you can identify as well malware signatures if you

02:36.240 --> 02:37.560
have it set up properly.

02:37.560 --> 02:43.050
You can also look at protocol analysis means you can identify what protocol it's using, whether it's

02:43.050 --> 02:46.650
TCP or UDP, FTP or HTTP.

02:46.680 --> 02:51.300
You kind of get the point, but it goes through and actually identifies those different protocols that

02:51.300 --> 02:56.520
allows you to identify where it's coming from and what services it's most likely trying to utilize or

02:56.520 --> 02:58.650
address throughout the traffic patterns.

02:58.650 --> 03:04.290
We can also do a domain name system analysis, which pinpoints the IP address and links it to the name

03:04.290 --> 03:05.610
in which the user input.

03:05.640 --> 03:10.950
For instance, if you put in something like Amazon.com, it will not only show you that the user tried

03:10.950 --> 03:15.270
to go to Amazon.com, but the associated IP address that's linked to it.

03:15.300 --> 03:21.420
This helps you to identify if maybe some DNS poisoning is going on, or some other DNS spoofing technology,

03:21.420 --> 03:27.030
that it would allow you to succinctly identify those processes through malware activity.

03:27.060 --> 03:28.950
We can also identify the payload.

03:28.950 --> 03:34.740
If somebody sends a picture through Wireshark or excuse me, through the network, Wireshark can identify

03:34.740 --> 03:41.010
it and you can actually pull that picture out exactly how the user had processed that, that picture

03:41.010 --> 03:45.360
we can go through and identify different behaviors through the different processes.

03:45.360 --> 03:46.410
We can identify.

03:46.410 --> 03:51.090
If the user went through one website and clicked on another website or a link for that website, we

03:51.090 --> 03:56.040
can identify what the user typed in and the different IP addresses that the user may have visited.

03:56.070 --> 04:00.770
Throughout this episode, we talked briefly about Wireshark and everything that comes in play with it.

04:00.800 --> 04:05.330
We talked about the different features and the tools that you can utilize within Wireshark to make your

04:05.330 --> 04:07.460
life a little bit better as an analyst.

04:07.490 --> 04:13.070
We talked about packet capture and how Wireshark, along with other tools, can capture files called

04:13.070 --> 04:14.060
pcap files.

04:14.090 --> 04:18.200
Wireshark is a phenomenal tool that you're going to use throughout your career.

04:18.200 --> 04:23.870
You should expect to see tidbits of Wireshark captures in your psych exam.

04:23.900 --> 04:28.100
Now, don't worry, they're not going to have you going through at a very deep level that you may need

04:28.100 --> 04:34.130
to take a 40 hour course for, but what you can expect to see is small snippets or packet captures that

04:34.130 --> 04:38.000
have identified through a screenshot exactly what we're looking for.

04:38.030 --> 04:43.550
You should be able to identify whether something is a dictionary attack a brute force attack.

04:43.580 --> 04:48.350
You should be able to identify what IP address the traffic came from, as well as where it's going to

04:48.380 --> 04:53.060
the timestamp associated with it, as well as the other features associated with Wireshark.

04:53.090 --> 04:57.650
Don't worry, we're going to go through those in chapter ten and show you not only how to set that up,

04:57.650 --> 04:59.750
but how to read the Wireshark as well.