Threat actors are constantly developing new tactics, techniques, and procedures (TTPs) to exploit vulnerabilities and infiltrate networks. However, the simple truth is that it all still goes over TCP/IP and ethernet – so there are always packets. This means that packets are the purest method of understanding how the endpoints involved in an attack are communicating with one another.
In this article, we’re going to kick off a comprehensive deep-dive with a high-level look at threat hunting using Wireshark and packet captures, providing you with the knowledge and tools to enhance your organization’s security posture.
For great info on using Wireshark and Threat Hunting in general, look no further than the heroes over at Black Hills InfoSec: https://www.blackhillsinfosec.com/getting-started-with-wireshark/
Understanding the Basics of Threat Hunting
Before we dive into the technical aspects, it’s essential to grasp the fundamental concept of threat hunting. Unlike traditional cybersecurity measures that rely on known signatures and patterns to detect threats, threat hunting is a proactive approach that involves actively seeking out signs of malicious activity within a network.
The Role of Wireshark in Threat Hunting
Wireshark is a widely used open-source packet analysis tool that allows network administrators and security professionals to capture and analyze network traffic. It provides deep visibility into the packets traversing a network, enabling the detection of anomalies and potential security threats.
Here’s how Wireshark can be a valuable tool in your threat-hunting arsenal:
- Packet Capture: Wireshark captures packets in real-time, providing a detailed record of network traffic. This data can be invaluable for investigating security incidents or identifying suspicious patterns.
- Protocol Analysis: Wireshark can dissect and analyze various network protocols, helping you understand how data is transmitted between devices. Anomalies or deviations from expected behavior can be early indicators of security issues.
- Filtering Capabilities: Wireshark offers powerful filtering options, allowing you to focus on specific network traffic, such as traffic to or from a particular IP address or port. This helps in narrowing down your search for potential threats.
The Process of Threat Hunting with Wireshark
- Define Objectives: Start by defining your threat-hunting objectives. What are you looking for? Suspicious patterns, unusual traffic, or signs of compromise? Having clear objectives will guide your analysis.
- Capture Relevant Data: Begin capturing network traffic using Wireshark. You can set up filters to capture traffic of interest, such as traffic from a specific IP address or involving specific ports.
- Analyze Packets: Once you have captured enough data, analyze the packets. Look for anomalies, unusual communication patterns, or any signs of malicious activity. Pay attention to:
- Unusual traffic spikes or patterns.
- Unexpected communication between devices.
- Suspicious payloads or data exfiltration attempts.
- Correlation: Correlate the information you gather from packet captures with other security data sources, such as logs from firewalls or intrusion detection systems (IDS). This helps in validating your findings and understanding the broader context.
- Incident Response: If you identify a potential threat, follow your organization’s incident response procedures. Isolate affected systems, gather additional evidence, and take appropriate actions to mitigate the threat.
References:
- P. Olziersky, B. Smulders, and D. Richardson, “Network Threat Hunting with Wireshark,” SANS Institute, 2017.
- B. Cowan and C. Miron, “Proactive Threat Hunting with Network Traffic Analysis,” Security Intelligence, IBM, 2020.