Network Forensic 10/22

Internship Information

Eligibility
- Open to all students (undergraduate, graduate, international)
- International students can utilize CPT (Curricular Practical Training) or PTA (Practical Training Authorization)
- Age requirement: Must be at least 18 years old to apply
GPA and Work Experience
- There is no minimum GPA requirement
- No prior work or internship experience required
Internship Positions
- Multiple internship positions available
- Preferred skills vary by individual internship position; check specific internship descriptions on the company's webpage
- Important to include projects, examples, and case studies in your resume, showcasing how skills were applied in real projects (coursework or outside projects)
- Required application material: Resume only
- Include skills and project experiences in your resume
Application Process
- Positions for technology, marketing, business, and design internships available
- Ensure to differentiate between job and internship listings when applying
- Application deadline: November 3
- Submission methods: Online application form and video interview
- Complete online form and submit video interview within two days
- Video interview questions provided later, likely similar to online application form
Selection Process
- Step 1: Fill out the online application
- Step 2: Complete the video interview, recording specific responses
- Step 3: Application screening and selection for a second round in-person interview (in December)
- Interviews most likely take place at the Philadelphia office
- Remote interview options available for candidates unable to attend in-person
- Total internship openings: Up to 95 positions across departments
Internship Details
- All internships start June 1 for a duration of ten weeks
- On-site internships required at Philadelphia headquarters
- Internship is paid
- For inquiries, students can email the company with specific questions

Wireshark and Network Traffic Analysis

Introduction to TCP Dump and Windows
- Ensure necessary drivers are installed and network interface is in promiscuous mode
- Use command tcpdump -D to find available interfaces
- Use command tcpdump -i [interface] to specify the interface for listening
- Additional parameters:
- -w to output files
- -v and -vv for verbosity
- Press Control + C to exit the command
- Help menu available with man tcpdump; exit help with q, no built-in help in Windows, need to access online resources
Workshop Overview
- Lab three involves using Wireshark to analyze network traffic
- Three portions of the workshop:
- Collection of network traffic captured
- Higher information display in the second portion showing protocol headers and translated details
- Hexadecimal view of raw data in the third portion
Headers and Data Translation
- Displaying headers organized by network layers:
- Data Link Layer
- Network Layer
- Transport Layer
- Application Layer
- Use expand/collapse functionality in Wireshark to see detailed information
Filtering Methods
- Two types of filters in Wireshark:
- Display Filter: For selecting which packets to display based on set criteria
- Capture Filter: For determining which packets to capture during a capture session
- Common filter syntax includes:
- ip.addr for IP address filtering
- ip.src for source IP
- ip.dst for destination IP
- icmp for ICMP protocol filtering (use icmp6 for IPv6)
Statistics and Endpoints
- Access endpoint statistics from the statistics menu to summarize unique network endpoints
- Summarization available based on MAC addresses, IP addresses, and transport layer protocols (TCP/UDP)
Capture File Properties
- Information about capture file origin and device used for traffic capture
- Method for connecting filters to create more complex queries
Handling SYN Flood Attacks
- Description of SYN Flood Attack and its methods:
- Resource Exhaustion Attack: Targeting computational resources by saturating half-open connections with SYN messages
- Bandwidth Exhaustion Attack: Saturating the network bandwidth
- Attackers may spoof their IP addresses to exploit server vulnerabilities without receiving SYN-ACK responses
Countermeasures
- Increase computer resources to prevent denial of service conditions
- Modify system settings, such as halving the timer for half-open states
- Employ firewall rules to manage incoming traffic and potential malicious sources
- Behavior monitoring for historical traffic patterns

Homework Assignment Three Overview

Assignment Focus
- Analyzing provided datasets using Wireshark
- Questions address:
- Date collected
- Software used
- Operating system employed
- Unique IP addresses involved
- Specific packet filters for SYN packets and time stamps
- Listing open ports and MAC address retrieval scenarios
- Analyzing data and network conversations
- Assignment timeframe: Two weeks to complete

Chapter Five Overview: Attacking Types

Attack Objectives
- Diverse attacker motivations ranging from sensitive data theft, service disruption, to humiliation of developers
- Examples of past attacks provide context, including the 2016 and 2017 incidents involving major data breaches and denial of service instances
Identifying Attack Features
- Recognizing signatures and features of different types of attacks to inform artifact collection efforts
- Emphasizing the need for timely responses based on identified attack types and objectives
Denial of Service Condition
- Strategies for executing denial of service attacks include causing resource exhaustion, traffic saturation, and exploiting system bugs.
- Analyzing SYN Flood attacks as a sub-type of denial of service
Tools for Analysis
- Review of various tools such as NetworkMiner offering insights into end-to-end communication instead of discrete packets
- Understanding how combined filtering aids analysis of network traffic and possible attack scenarios
Key Takeaways from Network Monitoring Lessons
- Final thoughts on ongoing learning of network traffic analysis and defensive measures
- Importance of vigilance in monitoring and responding to network security threats