New job offer, network security analyst, how to prepare?

SephStorm

As the title states, I may be offered a job doint network security analysis, viewing logs and traffic analysis. While I did well in the technical interview it was suggested that I brush up before I come on. Does anyone have some resources to really get into the things I may be working with, wireshark, splunk, ect.

the_Grinch

Nmap Network Scanning <--Most of the Nmap Book

Lots of stuff on Youtube for Wireshark, along with a number of books.

MrAgent

I find the videos on youtube to be a great resource when I am trying to learn new things or simply practice. Its very helpful to see how things are really done.

SephStorm

What skills are most useful? Right now i'm looking into splunk and I will brush up on Wireshark and Splunk what else will be useful?

lsud00d

Reviewing IDS/IPS traffic, regex's, and logs could be of assistance...check out Snort.

jvrlopez

Capture and study some pcaps.

Find and study real world examples of malicious and suspicious activity.

YFZblu

Doing analysis is telling a story with the traffic, and making all the puzzle pieces fit. When you get alerts as an analyst your duty is to determine the 'who, what, why' - What is this alert? What is it looking for? Why did it fire in this instance? Is it a false positive or a legitimate hit? Who's traffic is this, and does it make sense given that context?

One of the more beneficial things you could do is setup a Squid proxy (it's easy to do), and begin to analyze your own web / network traffic. What sites did, why, etc. Brushing up on how to interpret / read Snort rules would be good as well. Splunk syntax can be really straight-forward, I wouldn't worry too much about it right now unless you're going to be admin'ing it...but that doesn't sound like the case.

Additionally, being an analyst in a high-traffic environment really gives you a chance to learn a lot about the web at large - Enjoy!

YFZblu

If you'd like to see some badness PM me - I have a few domains I keep an eye on which are serving malicious code to its vulnerable end users. For good measure I have notified each one multiple times; however they don't seem to care.

You'd visit the site in a vulnerable VM, and take a look at the proxy logs before, during, and post compromise. It's not anything too serious, it's commodity malware - Last time I checked it was redirecting to the Glazunov exploit kit which was dropping ZeroAccess.

lsud00d

+1 to @YFZblu, Squid is great. I managed a multi-site Squid cluster-tiered proxy system previously and it was great to look at the logs and see the flow of traffic. I constructed ACL's within Squid to block back-end HTTP traffic that is not visible in your normal browsing session...blew my mind when I noticed a local news website was serving up Backpage ads!! Sometimes the ad traffic doesn't get reviewed, I guess...this is how malicious content and driveby's can get into legit websites.