Given a scenario, analyze the results of a network reconnaissance.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

While gathering the reconnaissance about a network, the data must be turned into actionable information.  The first type of analysis is the point in time analysis.  Sources for such analysis may include packet captures, Netflow and wireless captures.  Tools for analyzing these data sources may include packet analyzers like Wireshark, Netflow analyzers like Solarwinds or Scrutinizer and wireless tools like Metageek’s Chanalyzer software.  Information that can be gained might include protocols in use, top talking hosts, and information from broadcast protocols and network discovery protocols (CDP, LLDP).

For longer periods of time, the data can be analyzed for baselines, trends, and patterns.  The more you know about what is “normal” the easier it is to detect abnormalities.  Security Information and Event Mangement (SIEM) tools such as qRadar and Splunk are one type of tool that can be useful in analyzing the data. MRTG, Solarwinds Orion, and LibreNMS are examples of tools that can use the Simple Network Management Protocol (SNMP) counters to present data for trending analysis.

Anomaly Analysis vs Trend Analysis

Anomaly analysis focuses on finding unusual or abnormal events. These anomalies could include abnormal traffic volume, abnormal traffic types or a system with higher than normal traffic profile. One issue with anomaly analysis is that many systems tend to create false positives that must be investigated. Anomaly analysis focuses on point in time data changes compared to a baseline. Trend analysis focuses on data over a longer period of time. Potential trend analysis includes looking and increases in memory use, bandwidth use or disk space.