Is GCIA Practical for an Intrusion Analyst?

win2k8win2k8 Users Awaiting Email Confirmation Posts: 262
This may sound like a dumb question, after all the certification in its title says "Intrusion Analyst", but someone let me see his Security 503 books, granted they were like 4 years old, but after glancing at them my initial reaction was is learning all this going to be worth my time? Since, at my current job we definitely don't use tcpdump or windump tools, and it seems like this whole certification is based on that tool. And as for raw packet analysis, I don't see the value of that either. I mean that's why we have various IDS sensors on our network to detect packets that are suspicious, Its certainly not practical for an Intrusion Analyst these days to do raw packet analysis. Also, we use full session replay software like NetWitness, which again defeats the point of performing manual packet capture. I just really don't see in the future how doing manual packet capture analysis will be worth it IMO. It would be interesting to hear others view on this. I guess I am trying to find out if enrolling in the SANS 503 class will be beneficial to me in my environment based on the information I provided above. Also, If somebody who has the current set of SANS 503 can clarify if tcpdump or windump is still the tool they use in the books?


  • chaser7783chaser7783 Member Posts: 154
    I'm currently studying for GCIA, and I am a network security analyst.

    Absolutely this will be worth your time, and an IDS will not catch everything, even in the books they even point out why. If you cannot read raw packets how will you see evasion or insertion attempts? Also as an analyst if a customer gives you a pcap and ask to you analyze the traffic, and see if there is a threat how do you plan on doing that? On the other hand what if the customer wants a pcap of an ongoing attack? What if you need to log onto the sensor and view spanned traffic to verify an attack is ongoing or has stopped?

    The book does drill down on tcpdump, but that is b/c the tool is lightweight and very effective for viewing traffic, but also states tools like wireshark/tshark are much better. They also talked about P0f,silk and a few others.

    Being able to properly read raw packet data, can help with determining if the attack is a false positive, or legitimate and will lead to sensor tuning. Also what if your sensor is not finding the true source Ip b/c it is going through a proxy or CDN, being able to look at the payload and see a Real-ip, or xff with the true source can help.

    I just have a hard time understanding how an Intrusion Analyst doesn't see the value of being able to understand and read what is really going on, and depend solely on a product. If you don't understand what is going on and rely on a product to do all your work you are nothing more than a product specialist.
  • bigmantenorbigmantenor Member Posts: 233
    ^This. Coming from the same background (also a network security analyst), I agree with the above 100%. We use tcpdump all the time at my shop; it may not be the sexiest tool in the toolbox, but it is still around for a reason. If you understand how to use the various filters and command line options, it can be very powerful. I know of several places that will make you perform raw packet analysis at some level during your interview, so I would not be so quick to dismiss its use in the field. As far as the GIAC, I can't speak to that as I haven't seen the material/taken the class, but I imagine it could be useful for someone like yourself who does not yet see the value in manual pcaps. If you do end up taking the course, be sure and come back and do a review, as I'm sure many of us are considering doing this at some point.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    While examining payloads is important, if you don't understand how packets are structured, intentionally (or maliciously) mis-structured, or understand/recognize patterns of abnormality with your network based on non-payload indicators, then you as an intrusion analyst are making a lot of assumptions which will lead to missed events of interest.

    There's a reason why tcpdump is such a fundamentally important tool - it's very portable, fast, and is accessible for basic, low-level tasks. Since it's a simpler tool, it's more secure than functionally-rich tools like Wireshark. The more complex a tool, the higher the likelihood of software bugs/vulnerabilities. Wireshark is great, but you're relying on a ton of dissectors which decode the protocols. If there's a software issue, misinterpretation of the payload can happen and you won't be able to do good analysis. You can't always assume that what the tool is showing you is a hundred percent accurate.

    As a matter of fact, I have a one-packet interview test that I ask my candidates to see where they go with it. If they choose to use Wireshark, that's fine, but it has a high potential to lead them astray.

    As intrusion analysts, we have to be aware that ultimately the evidence that we're combing through is comprised of bit streams where the specific sequences of ones and zeroes represent certain values (and thus the ultimate message, its formatting, transmission parameters, and so on). There may be times where you'll have to dig into the headers and look for oddities. If there's corruption, you're responsible for spotting it. There are lots of clues everywhere. I've had some rare instances where I had to look at the hex **** and decode by hand.

    Tuning intrusion detection systems require that low-level knowledge, because there's no such thing as an out-of-the-box IDS system that will catch everything (or won't have false positives). If you're going to write an IDS signature, it's important to know the various headers and protocol formatting. It's also important to understand that these systems tend to be sensitive and thus more prone to false-positive events or evasions, because if something is shifted in the payload and off by one byte, the sensor could miss it. Many times when you're baselining an environment, application, network segment, or host, you'll probably use a simple tool like tcpdump to grab what you can, quickly gain insight at the high-level by chopping things down into logical groups, maybe do some drill-downs, and then perhaps do payload-level analysis as a follow-up for the deep-dive.

    Tools like NetWitness are great, but without the underlying fundamental knowledge which support the payload content, you're missing out on a larger picture of the mission. It's one thing to know how to read a recipe and make dinner from it, but it's a whole different level when you understand the chemical interactions in the cooking process and being able to adjust to the tastes of your dinner guests.
    Hopefully-useful stuff I've written:
Sign In or Register to comment.