For this assignment you will post your answers to the questions in each thread prior to 11:55 p.m. ET on Wednesday. You are required to respond to at least two of your classmates post by 11:55 on Sunday. Please do not be late with this post because your classmates will be relying on you to post on time. Your follow-up posts can add additional insight to a classmate’s opinions or can challenge their opinions. Use examples from the readings, or from your own research, to support your views, as appropriate. For your follow-up posts this week, you may wish to visit a couple of the web sites contributed by your classmates and share your opinion of these sites with the class. Be sure to read the follow-up posts to your own posts and reply to any questions or requests for clarification. You are encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end of your post. References must be in APA citation format. All posts must be a minimum of 250-300 words. All follow-up posts to your classmates must be a minimum of 150 words for each required post. Peer responses will not be accepted after the due date.
Distinguish between full content data (including collection tools), session data (including collection tools) and statistical data (including collection tools).
Forum Grading Rubric (100 Points)
Synthesis of Concepts 55
Clear Citations using APA format 10
Writing Standards 10
Timeliness 10
Peer Reviews (minimum of 2) 15
This assignment is a formative assessment for Course Objective 3.
Here are the two posts I need the replies to in additional to the main post:
Class,
Just like any form of data, in any form of occupation or organization, there are various types.
Full content data is defined as, “It is a rich form of evidence offering detail and opportunities seldom found elsewhere(Bejtlich, 2005)”. But what does that really mean? To me it simply means that it has the most important information needed within the security realm which allow analysts to dig deeper into some form of incident or concern.
Session data is the information/data that is being exchanged between two parties(Bejtlich, 2005). I guess you could look at it like 2 people who were in a car accident, sharing their information. There are various pieces within like source ip, port, destination ip, port, timestamp, amount of info transferred. Each piece of data has its role within network investigation.
Statistical Data allows intrusions to be identified and validated(Bejtlich, 2005). Compare this to a puzzle, each piece may be the start of something but until enough data is collected, the true picture to what may be identified cannot be shown until enough pieces are put together. They talk about baseline in our text, we know what normal looks like but as you continue to monitor and look deeper into something you may find a trend that doesn’t seem correct. Maybe a system is normally only reaching out to X and over time you identify that Y is being reached to more frequently for no reason. Enough data will show you a sign and by further research you find what may not be as normal as it seems with a sampling of data.
Data is only data until you bring it together. With the proper understanding of each, an analyst can quickly identify what may be a cause for concern or something normal.
References
Bejtlich, R. (2005). The Tao of Network Security Monitoring. Boston: Addison-Wesley. Retrieved from Vitalsource: https://online.vitalsource.com/#/books/9781269650335/cfi/6/2!/4/16/6@0:91.2
In computer forensics, you have various ways to collect digital information in a network security setting. They are full content, session and statistical data.
This first category we will communicate falls under the full content section. In respect to this aspect, TCPDump is quite frankly the main go-to collection tool. It may seem antique, but it is a very stable tool. The tool collects data in an unfiltered way that allows for tremendous elasticity for analysis. This means that simply implementing this tool to operate and get the traffic, there will be a high chance in catching your perpetrator. Overall, this tool in collecting full content gives your intruder very little chance to evade from leaving a footprint. It allows you the most amount of ability to develop an incident handling process.
In session data collection a popular tool to use is Argus. Session tools, allow to gather information for particular transfers and transmissions in information interactions. This tool integrates various protocols and summarizes traffic in a session format. It generates tables without storing it with full content and analyzing it on the back end. It does not function properly in the midst of application data, and can be bypassed by intruders through covert pathways to fool it. However, Argus is quite good in other ways. It works well with UDP. It keeps track of traffic coming in ICNP. Using Argus requires practice to get familiar with.
In the final category, one particular tool in the statistical category is Snort. It is an event data detection machine. It has the ability to modify and add signatures in a rapid fashion that allows for great flexibility. This type of categorical tool is used to compare and analyze traffic to common baseline traffic.
In conclusion, full content data reveals the full extent of traffic on a network. Session data, summarizes data transmissions between two entities(Bejtlich,2004), and statistical data does particular analysis of the data and traffic.
Reference
Bejtlich, R. (2004), The Tao Of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc. MA.
Course Material stuff:
Chapter 7. Session Data
Session data represents a summary of a conversation between two parties. It’s so important I devote all of Chapter 15 to a case study using this form of information. Here I explain multiple ways to collect session data. Once you see how easy it is to collect and work with it, I expect you will be anxious to try any one of the methods explained here.
A session, also known as a flow, a stream, or a conversation, is a summary of a packet exchange between two systems. Connection-oriented protocols like TCP are most suited to representation in session form because there is usually a clear beginning, middle, and end to a TCP session. Connectionless protocols like UDP and ICMP are not as structured as TCP, but those in request-response format can be approximated in session format as well. Even one-way “conversations,” such as a series of SYN packets sent to multiple hosts during a reconnaissance sweep, can be recognized as a certain type of conversation.
Chapter 8. Statistical Data
So far we’ve discussed two forms of network-based information used to identify and validate intrusions. First we explored full content data, in which every element of a packet is available for analysis. In some cases we care about header details, but more often the application content is what we need. Next we looked at session data, where conversations between parties are summarized to include IP addresses, ports, protocols, timestamps, and counts of data transferred. Analyzing session data is the easiest way to track the timing and movements of some intruders. Collection of both forms of data is content neutral; we generate full content or session data regardless of the information conveyed by those forms.
We can limit the field of view of full content or session data tools through BPFs and other configuration mechanisms. Such limitations are imposed in high-traffic environments or used to focus attention on a specific IP address, port, or protocol. Even within those constraints, collection is still a content-neutral affair. A BPF of udp and port 53 to Tcpdump will catch a port 53 UDP-based back door and also collect normal DNS traffic.