- Network traffic must be captured and its data frames decoded before it can be analyzed., - Define a “ Switched Port Analyzer (SPAN) “:, - This allows for the copying of ingress and/or egress communications from one or more switch ports to another., - Define a “ Packet Sniffer “:, - This is a piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device., - A network sniffer should be placed inside a firewall or close to an important server., - Define “ tcpdump “:, - This is a data-network packet analyzer computer program that runs under a command line interface., - It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached., - Define “ Wireshark “:, - This is a free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education.

- Define a “ Full Packet Capture (FPC) “:, - This Captures the entire packet including the header and the payload for all traffic entering and leaving a network., - Define a “ Flow Collector “:, - This is a means of recording metadata and statistics about network traffic rather than recording each frame., - Flow analysis tools provides network traffic statistics sampled by a collector., - Define “ NetFlow “:, - This is a Cisco-developed means of reporting network flow information to structured database., - Gathers:, - Network protocol interface, - Version and type of IP, - Source and destination IP, - Source and destination port, - IPs type of service, - NetFlow provides metadata while packet captures provide a complete record of what occurred.

- Define “ Zeek (Bro) “:, - This is a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest., - Zeek performs normalization on the data., - This stores data as tab-delimited or Java Script Object Notation (JSON) formatted text files., - Define a “ Multi Router Traffic Grapher (MRTG)” , - This is a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP).

- Malware is used to be configured to contact a specific static IP or DN, - Define “ Known-bad IP Addresses “:, - This is an IP address or range of addresses that appears on one or more blacklists., - Reputation-based risk intelligence is used to create IP/URL block lists., - Attackers now use domain generation algorithms to overcome block lists., - Domain Generation Algorithm (DGA):, - This is a method used by malware to evade block lists by dynamically generating domain names for C2 networks., - What are the 5 Steps attackers use:, - Attacker sets up one or more dynamic DNS (DDNS) services., - Malware code implements a DGA to create a list of new domain names., - A parallel DGA is used to create name records on the DDNS service., - The malware tries a selection of the domains it has created to connect to C2., - C&C server communicates with a new seed for the DGA to prevent being blocked., - Fast Flux Network is a method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using domain generation algorithms., - If you get a high rate of NXDOMAIN errors when resolving the DNS, it could be an indicator of a DGA., - Define “ Secure Recursive DNS Resolver “:, - This occurs when one trusted DNS server communicates with several other trusted DNS servers to hunt down an IP address and returns it to the client.

- Define “ URL Analysis “:, - This is an activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it., - What do we use these tools for:, - Resolving percent encoding., - Assessing redirection of the URL, - Showing source code for scripts in URL., - Define the “ HTTP Method “:, - This is a set of request methods to indicate the desired action to be performed for a given resource., - This is a request contains a method, a resource, a version number, the header, and the body of the request., - Define and Categorize “ HTTP Methods “:

- Define “ GET “:, - The principal method used with HTTP and is used to retrieve a resource., - Define “ POST “:, - This is used to send data to the server for processing by the requested resource., - Define “ PUT “:, - This creates or replaces the requested resource., - Deduce “ DELETE “:, - This is used to remove the requested resource., - Define “ HEAD “:, - This retrieves the headers for a resource only and ignores the body., - Define “ Characters “:, - Data submitted via a URL is delimited by the ‘?’ character. :, - Query parameters are usually formatted as one or more name=value pairs with ampersands (&) delimiting each pair., - A ‘#’ is used to indicate a fragment or anchor ID and it not processed by the webserver., - %27http%3A%2F%2Fabc123.com%2Frat%2Ejs

- Define “ HTTP Response Codes “:, - The header value returned by a server when a client requests a URL., - Define “ Common HTTP Response Codes “:, - Define “ 200 “:, - This Indicates a successful GET or POST request (OK)., - Define “ 201 “:, - This Indicates where a PUT request has succeeded in creating a resource., - Define “ 3xx “:, - This is any code in this range indicates that a redirect has occurred by the server., - Define “ 4xx “:, - Any code in this range indicates an error in the client request., - Define “ 400 “:, - This indicates that a request could not be parsed by the server., - Define “ 401 “:, - Indicates that a request did not supply authentication credentials., - Define “ 403 “:, - Indicates that a request did not have sufficient permissions., - Define “ 404 “:, - Indicates that a client is requested a non-existent resource., - “ 5xx “:, - Any code in this range indicates a server-side issue., - Define “ 500 “:, - Indicates a general error on the server-side of the application., - Define “ 502 “:, - Indicates a bad gateway has occurred when the server is acting as a proxy., - Define “ 503 “:, - Indicates an overloading of the server is causing service unavailability., - Define “ 504 “:, - Indicates a gateway timeout means an issue with theupstream server.

- Define “ Percent Encoding “:, - This is a mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding., - A URL can contain only unreserved and reserved characters from the ASCII set., - Define “ Unreserved Characters “:, - - | a-z A-Z 0-9 - . _ ~, - Define “ Reserved Characters “:, - - | :/?#[]@!$&'()*+,;=, - A URL cannot contain unsafe characters, these include:, - Null string termination, - carriage return, - line feed, - end of file, - tab, - space, - | \ < > { }, - Percent encoding allows a user-agent to submit any safe or unsafe character (or binary data) to the server within the URL., - WARNING:, - Percent encoding can be misused to obfuscate the nature of a URL (encoding unreserved characters) and submit malicious input as a script or binary or to perform directory traversal., - Some really tricky attackers may double-encode the URL by encoding the percent sign, too!