Table of Contents

Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach

The good folks at WRCCDC 1) were kind enough to release packet captures (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB. Now the question is : What are the tools that can help you unravel the information in the PCAPs?

This is Part-1 of a 3 Part series

Where to start with giant PCAP dumps

The strategy to avoid getting overwhelmed by giant PCAPs is similar to capturing live traffic for the very first time from big networks. You start from knowledge about the organization and then build a baseline analysis. Then you can spread out into different analysis paths depending on what you are looking for. The tooling you have must support this process end to end.

In this particular case, here is What we know for sure :

  1. the PCAPs are published by WRCCDC
  2. these are from a cyber defense competition
  3. they are big. Big enough to make packet level tools like Wireshark , NetworkMiner etc impractical as first-line tool

We like to divvy up the work into two distinct tasksets

  1. Monitoring Tasks : Look around at higher level trying to spot patterns, gain understanding, watch outliers. Goal here is to gain total visibility and then discover potential Drilldown tasks
  2. Drilldown Tasks : You've already identified something that needs further investigation. You now need tooling to increase resolution on that path alone and complete the investigation. The ideal end point for this in NSM would be to drilldown to the packet level.

Monitoring

We like to build a baseline understanding of the network from the PCAPs from the following four angles. In that order.

1: Traffic Analytics

First step is to get the “lay of the land”. We created TrisulNSM to excel in this area. You can try answering these traffic questions.

2: Flow Analytics

Once you get a solid understanding of the traffic profiles, next step is to ask basic questions about the flows 2) . These yield the second level of understanding.

3: Alerts

Next you can look at the same PCAPs from a security angle. You can use Snort or Suricata with all rules enabled and also use a Cyber Crime Intel feed to check your traffic. The TrisulNSM Docker image uses Suricata with all rules from the Emerging Threats Open Ruleset to run a 2nd pass over the PCAP dump. This gives a really good baseline security view from which you can tee off to more detailed exploration.

We generally enable all rules while looking at PCAPs because we have luxury of time and CPU. A large rule load can result in packet drops on live networks but doable in offline mode.

4: More advanced Traffic Analytics

Steps 1-3, will give you a rather solid foundation. By this time, you should have atleast a dozen potential starting points to dig deeper. For example : “Hey, I am seeing a dozen 500MB+ downloads , need to check what it is”. At this point, we like to dig a little deeper into advanced counter groups that are available in TrisulNSM out of the box. These give excellent medium resolution for you to investigate. Some of the useful counter groups are :

Trisul gives you 20 more counter groups, but the above five are good medium resolution starting points.

Drilling down

The relevant factor in Drilldown is whether the analyst is looking for something specific. A security oriented analyst may only want to follow certain drilldown paths from certain starting points. A more general threat-hunting analyst might want to drilldown on all possible leads. These techniques are useful

  1. Top-K/Bottom-K : You can use these to find out heavy hitters and rare items.
  2. Graph Analytics : Expand a particular item to reveal connected items.
  3. Resources : View meta data like TLS Certificates, HTTP Headers, DNS records from lower resolution items such as an HTTP Error code or a rare TLS Cipher.
  4. Full Text Search : For tools based on Log analysis such as Splunk or ELK you can query for logs and aggregations. TrisulNSM is based on streaming analytics but has limited FTS (Full Text Search) capability for HTTP Headers and TLS Certificates.
  5. Files : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them.
  6. Flows : The second last level of drill down. From a IP or App or other items you can pull up a list of flows.
  7. Packets : The final level of drill down. After this you should have all the information to decide if any escalation is required for action outside the NSM toolset.

Next

Enough of theory. Part-2 of this series explains how you can get the TrisulNSM Docker image to run over the PCAP dump

1)
Western Regional Collegiate Cyber Defense Competition
2)
Flows in TrisulNSM are defined as IP Flows that include TCP and UDP flows as well as IP level flows like GRE, IPSEC,etc