Introducing Network Intrusion Analysis

When we first discussed writing this book our main question was, what is the goal of the book? We did not want it to be just another text book that someone could read and maybe understand. Our goal was to make it a learning guide. We wanted the reader to be able to follow along and work through the analysis as they read.

The book will provide the reader with an inside look at not only the analysis of a network intrusion but also the process of conducting the intrusion itself.

As the great Sun Tzu has stated:

So a military force has no constant formation, water has no constant shape: the ability to gain victory by changing and adapting according to the opponent is called genius.¹

– Sun Tzu, The Art of War.

The intrusion analyst must be able to adapt to the ever changing tactics used by intruders. The analyst must also keep current with emerging technologies, hardware and applications. You will never stop learning in this field, which makes for a very exciting career.

This guide is not intended to make the reader a “Hacker,” because, as we can attest to, we are not. What the reader will hopefully get from this guide is an understanding of the process involved in both the intrusion of a network and the analysis of the intrusion. The techniques and processes you will learn in this guide will build a solid foundation that you can then build upon. Once you build this solid foundation, you will have the skills required to adapt to changing attacks/intrusions. You can adapt new tools and techniques that you learn to meet your analysis style and needs. There are many challenges faced by an Intrusion Analyst. Some challenges are easily overcome while others may never be. You will run into a challenge that is out of your area of control and as such, you can only suggest ways to alleviate it.

Some of the challenges you will encounter include:

These are just a few and we could spend many hours deliberating a complete list. The point is that you will always have challenges, how you deal with them is what will separate you from the crowd.

The first process we will explore is that of the attacker. There are five base phases of an intrusion. You will hear them referred to by many different ways. We will refer to them in this book as the following:

Outside of this text, you may also hear these phases referred to as:

Whichever you choose to call them is irrelevant. You must however, understand what occurs during each phase and where you may find potential evidence.

The process for conducting an analysis is also made up of phases and steps that need to be taken. We will introduce you to one set of core steps to follow when conducting a network intrusion analysis. Here is where your ability to change and adapt according to the evidence comes into play. The ability to change and adapt comes with time, experience and a desire to learn.

We will guide you through the following steps/phases of an analysis:

Each of the following chapters will walk you through one aspect of either an intrusion into a network or the analysis of that intrusion. Along the way you will be provided with tips, tricks, and step actions. A list of all the tools used will be provided. They will include open source which you can download as needed, and commercial products which you must purchase if desired.

In summary, this book is not meant to be the all-inclusive, definitive guide to a network intrusion analysis. That project would end up being the size of the complete Encyclopedia Britannica, which we have no intention of doing. This book is meant to be a foundation building reference for the individual looking to start a career in this line of work. The chapters ahead will provide you with that solid foundation and understanding of all the skills needed.