Network Forensics e Threat Intelligence: PCAP Analysis, IOC Extraction e TTP Mapping

🧰 Materiali necessari

• Forensic workstation Linux con tools
• Wireshark e tshark
• Zeek (formerly Bro) network monitor
• Suricata IDS con Emerging Threats ruleset
• NetworkMiner per file extraction GUI
• RITA (Real Intelligence Threat Analytics)
• tcpdump per packet capture
• MISP threat intelligence platform
• OpenCTI come alternativa TIP
• Security Onion distribution comprehensive
• JA3 fingerprint database (abuse.ch)
• STIX/TAXII tooling per intelligence sharing
• jq per JSON parsing
• Python con pandas e scapy per analysis custom
• Sample PCAP per practice (MalwareTrafficAnalysis.net)
• Lab traffic generation environment

📋 Passi

1. 1
   Setup laboratorio network forensics
   {"step":1,"title":"Setup laboratorio network forensics","description":"Configura forensic workstation Linux con Wireshark, tshark, Zeek, Suricata, NetworkMiner, RITA. Setup lab traffic generation: target network con multiple host (Windows client, Linux server), simula web browsing, file transfer, suspicious activity. Capture point: hub o tap setup, o via tcpdump su gateway. Storage capacity adeguata per ore di PCAP per testing. SecurityOnion distribution include all tool integrati in soluzione unica. Setup MISP instance per threat intel platform integration."}
2. 2
   Capture strategy e tcpdump
   {"step":2,"title":"Capture strategy e tcpdump","description":"Identifica capture point strategico: gateway egress (cattura outbound C2), internal switch SPAN (cattura lateral movement), tap prima del firewall (cattura inbound exploitation). Capture comando: tcpdump -i eth0 -w capture.pcap -G 3600 -W 24 ruota file ogni ora, mantiene 24 file. Applica BPF capture filter per ridurre volume: tcpdump -i eth0 -w capture.pcap not port 22 esclude SSH. Verifica capture: ls -la capture.pcap, tcpdump -r capture.pcap | head mostra pacchetti recenti. Monitora disk usage."}
3. 3
   Wireshark interactive analysis
   {"step":3,"title":"Wireshark interactive analysis","description":"Apri PCAP in Wireshark. Statistics > Protocol Hierarchy mostra protocol distribution: percentuali HTTP, DNS, TLS, ICMP. Identifica anomalia: high ICMP volume indica potential ping flood o tunneling, unusual protocol presence. Statistics > Conversations lista endpoint pair: identifica top talker, destinazione inusuale. Statistics > IO Graph visualizza traffic volume over time: spike indica evento. Applica display filter: ip.addr == suspect_ip filtra per host investigation. Right-click pacchetto, Follow > TCP Stream view conversazione completa."}
4. 4
   tshark scripting per batch processing
   {"step":4,"title":"tshark scripting per batch processing","description":"Process large PCAP via CLI: tshark -r capture.pcap -Y dns -T fields -e ip.src -e dns.qry.name | sort | uniq -c | sort -rn mostra DNS query frequency per domain. Estrai HTTP requests: tshark -r capture.pcap -Y http.request -T fields -e ip.src -e http.host -e http.request.uri > http.csv. Pipeline con grep e awk per filtering avanzato. Identifica outlier: domain con singola query rara, query ripetuta frequente. Combina con Python pandas per analisi statistica sofisticata."}
5. 5
   Zeek setup e log generation da PCAP
   {"step":5,"title":"Zeek setup e log generation da PCAP","description":"Installa Zeek su forensic workstation. Processa PCAP: zeek -r capture.pcap LogAscii::use_json=T genera log JSON. Output files: conn.log, http.log, dns.log, ssl.log, files.log, notice.log. Esamina conn.log: colonne ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state. Filtra inusuale: conn_state SF (normal complete) vs S0 (no response). Long duration connection sospetta (lateral move tunnel). Usa jq per JSON parsing: jq .ts http.log filtra timestamp."}
6. 6
   DNS forensics e DGA detection
   {"step":6,"title":"DNS forensics e DGA detection","description":"Analizza dns.log: aggrega query per domain count. Identifica domain con high entropy (random looking): script Python calcola Shannon entropy per ogni domain, threshold 4.0+ sospetto. Tool dgad classifier identifica probable DGA. Domain che non risolve (NXDOMAIN) frequentemente: DGA attiva che prova domini. Pattern subdomain lungo encoded: DNS tunneling indicator (firma DNScat o Iodine). Cross-reference domain in MISP per known IOC. Threat intel context: domain associato a APT campaign."}
7. 7
   HTTP analysis profonda per C2 detection
   {"step":7,"title":"HTTP analysis profonda per C2 detection","description":"Esamina http.log: user agent distribution, request URI pattern. Identifica sospetto: user-agent generico Mozilla\/4.0 senza other characteristic, automation tool UA (curl, wget, python-requests), unusual one-off UA. Cerca URI pattern .php?cmd= (webshell command pattern), POST request large body verso destination sospetta (data exfiltration indicator). Status code 200 verso .php con URL random looking: webshell access. Cross-reference Host header con threat intel domain. Estrai file transferiti via HTTP con tshark export-objects."}
8. 8
   TLS analysis con JA3 fingerprint
   {"step":8,"title":"TLS analysis con JA3 fingerprint","description":"Zeek ssl.log cattura TLS metadata. JA3 fingerprint calcolato per client hello. Confronta con JA3 hash database (abuse.ch ja3.zip): malware family JA3 known. SNI field mostra hostname acceduto pre-encryption. Certificato subject e issuer: Let Encrypt comune (free) ma anche diffuso nei C2 malware. Self-signed certificate sospetto (random certificate non da CA). Validity period breve sospetto (malware C2 short lifetime). Certificate transparency lookup su crt.sh per audit issuance."}
9. 9
   Beaconing detection con RITA
   {"step":9,"title":"Beaconing detection con RITA","description":"Installa RITA: scarica da ActiveCM GitHub. Importa Zeek logs in RITA: rita import zeek_logs\/. Beacon analysis: rita show-beacons dataset_name. Output: source-destination pair, beacon score, interval, jitter. High score (0.9+) indica strong beacon. Investiga top beacon: legitimate (Windows Update, software check) vs malicious (C2 callback). Investiga interval: 60 secondi consistente indica C2 beacon, interval piu lungo meno sospetto. Combina con destination IP threat intel check per arricchire contesto."}
10. 10
    Suricata IDS application su PCAP
    {"step":10,"title":"Suricata IDS application su PCAP","description":"Installa Suricata. Scarica Emerging Threats Open ruleset con suricata-update. Esegui contro PCAP: suricata -r capture.pcap -l output_dir -c \/etc\/suricata\/suricata.yaml. Output eve.json alert log strutturato. jq .alert eve.json filtra alert signature. Top alert: identifica known malware family signature (ET MALWARE specific family), exploit attempt signature. Cross-reference con packet data: quale pacchetto ha triggerato, conversazione completa. Tune false positive: disabilita regole per legitimate behavior nell'environment."}
11. 11
    File extraction e malware identification
    {"step":11,"title":"File extraction e malware identification","description":"NetworkMiner GUI tool estrae file automaticamente da PCAP: apri PCAP, Files tab mostra file transferiti. Hash estratti in SHA256. VirusTotal lookup hash (con attenzione OPSEC). Tool tshark --export-objects HTTP ugualmente disponibile via CLI. Carva file da raw PCAP: foremost -i capture.pcap -o extracted_files identifica file type via header magic byte. Estrai executable, document, archive. Submetti sospetto a sandbox per behavioral analysis. Traccia filename, size, hash, source URL per documentazione."}
12. 12
    IOC extraction sistematica e STIX formatting
    {"step":12,"title":"IOC extraction sistematica e STIX formatting","description":"Compila IOC list dall analisi. IP addresses observed: malicious C2 server, scanner source. Domain names: query risolte verso sospetto. URL pattern: specifico C2 endpoint. JA3 fingerprint: TLS client identifier. Certificate hash: C2 server certificate. File hash: malware payload. Formatta STIX 2.1: indicator SDO type ipv4-addr per IP, type domain-name per domain, type file hash SHA256. Bundle indicators con relationship (indicates) verso malware SDO e threat actor SDO."}
13. 13
    TTP mapping a MITRE ATT&CK
    {"step":13,"title":"TTP mapping a MITRE ATT&CK","description":"Mappa observed behavior a ATT&CK technique. Web exploitation (POST a vulnerable endpoint): T1190 Exploit Public-Facing Application. Beacon HTTP C2: T1071.001 Application Layer Protocol Web Protocols. DNS tunneling C2: T1071.004 DNS. Encrypted C2: T1573 Encrypted Channel. Data exfiltration over C2: T1041 Exfiltration Over C2 Channel. Costruisci ATT&CK Navigator layer JSON con technique osservate evidenziate. Layer condivisibile mostra campaign capabilities visualmente. Abilita hunting per altre technique potenzialmente osservate."}
14. 14
    MISP threat intel platform integration
    {"step":14,"title":"MISP threat intel platform integration","description":"Installa MISP su VM dedicata. Configura organization, sync con community feed (CIRCL MISP public feed). Crea event per campaign analizzata: title campaign name, distribution own organization only inizialmente, tags ATT&CK technique, malware family. Aggiungi attributes: ogni IOC estratto (IP, domain, URL, hash) come attribute con appropriate type. Relationship attribute verso altri event (similar campaign, same actor). Pubblica event alla community se appropriato. Sottoscrivi a community event: IOC da peer arricchiscono detection locale."}
15. 15
    Network forensic report e detection improvement
    {"step":15,"title":"Network forensic report e detection improvement","description":"Struttura final report: Executive Summary, Methodology, Attack Timeline (eventi cronologici), Initial Access Vector (ingresso nel network), Command and Control (C2 infrastructure mappata), Data Impact (evidence di exfiltration), IOC List comprehensive, ATT&CK Mapping, Recommendations. Includi screenshot di tool output, packet capture excerpt come evidence critica. Network detection improvement: Suricata rule per pattern identificati, Zeek script per beacon detection, MISP IOC feed integrato nel SIEM. Lesson learned condivisi nella community interna. Review annuale threat intel sources."}