Many types of networks have emerged in the last decade. That includes Internet of Things (IoT) networks, industrial networks, Building Automation and Control (BAC) networks, and more. These networks are connecting devices that were previously connected through proprietary methods, moving to Internet Protocol (IP) connectivity. These devices include various types of sensors measuring temperature and humidity, motion detectors, proximity sensors, gas sensors, and security and surveillance cameras.

These evolutions brought about a new concept in network security. In the past, we used to protect the end units; however, in some cases today, it is more complex than that. We have millions of end devices of many types, where using the standard malware-detection systems is not always possible.

That brought about a new concept of information systems security. In addition to protecting the end devices (in some cases, instead of this), we listen...

Viewing network traffic can be done in several ways, such as the following:

• Simple Network Management Protocol (SNMP)
• NetFlow and IP Flow Information Export (IPFIX)
• Wireshark and network analysis tools
• Streaming telemetry

Let's look at the information we can get from each one of them.

SNMP

Although considered by some as obsolete, SNMP is still by far the most popular network management tool. SNMP is based on a manager-agent model, where a management system (a manager in SNMP terminology) monitors devices by receiving information from the SNMP agent interacting with the communications device.

There are two ways that the SNMP manager (the management system) receives information from the agent, outlined as follows:

• SNMP polling: This refers to when the SNMP manager monitors the agents on communication devices.
• SNMP traps: This refers to when an agent on a communication device discovers a problem, and...

Establishing a baseline is a task you must perform. It might sound difficult, but it's very simple when you know your network. In this section, we will talk about the common protocols that run in a typical enterprise network, and we will look at their typical traffic patterns.

Protocols that are common to enterprise networks can be categorized into several groups, as follows:

• Internet access protocols—HTTP, HTTP Secure (HTTPS), Google QUIC (GQUIC), SMTP, POP, and DNS
• Organizational applications—NetBIOS/SMB, Microsoft Terminal Services (MS-TS), database applications, and multicasts
• Network protocols—Routing protocols, discovery protocols, monitoring protocols, and so on

Let's see some typical capture files and find out what we should see in organizational networks.

Small business/home network

In the following screenshot, we see a typical protocol hierarchy of a user connected to an organizational...

Viruses, Trojans, worms, ransomware, and other types of malwares can be executed on endpoints—this is what standard endpoint security software and systems protect against, but there are two major problems with this.

The first problem is that when one of these malwares gets to your end device, it is being fought at the gate—that is to say, you fight it when it has already reached your devices. In most cases, you will win the war, but if you do not, the enemy is in your home.

The second, more common problem is that not all devices can be protected with standard endpoint security systems. You cannot install anti-virus on an IoT sensor; some of the software that is used is open source, which has no safety guarantee, and although the network access control (NAC) system approves users when they connect to the network, you can never be 100% sure that a private phone or laptop is not infected.

For this reason, one of the new concepts in...

In this chapter, we talked about discovering suspicious traffic patterns in a network. The most important insight from this chapter should be to know your networks' and applications' behavior, and you will recognize any abnormal activity.

In this chapter, we learned about the tools that you can use to create a baseline, how to establish a baseline and understand the traffic that runs in a network, and suspicious/ abnormal activities that we should be aware of.

In the next chapter, we will start to get into more detail on protocols for detecting device-based attacks, looking at ARP, IP, and TCP/UDP.

So, let's revise what we have learned till now.

Here are a few questions to test your understanding of the chapter:

1. NetFlow/IPFIX are protocols that are used for:
   1. Continuous monitoring of packets/bytes/gits per second
   2. Packet analysis and deep packet inspection (DPI)
   3. IP (Layer 3) and TCP/UDP (Layer 4) statistics
   4. All of the above
2. In the Example 1.pcap capture file, you will see STUN packets. What are they used for in this example?
   1. Malware discovered in the end device (user laptop)
   2. A connection to Cisco Webex servers
   3. A connection to a streaming server that is used for video transmission
   4. A video conference application
3. A network traffic baseline includes:
   1. Any information on users and what they send to or receive from networks
   2. IP addresses and TCP/UDP port numbers
   3. IP addresses and TCP/UDP port numbers and conversations
   4. Application types and TCP/IP information
4. A scanning pattern will have the following identifiers (IDs):
   1. A single station that sends packets to the entire network
   2. Many stations that send packets to a single...