BLOG

Anyone who starts a new career in cybersecurity often starts as an analyst who analyzes raw internet traffic for large portions of the day, hoping to spot any nefarious traffic trying to sneak across the wire. As professionals who train students to be prepared for their future careers, professors need to be sure they are adequately preparing their students for this role of analyst. Even after one progresses past the early stages of traffic analysis, they will continue to use the analysis skills when conducting investigations, developing strings and alerts for intrusion detection systems, and in many of the other areas of cybersecurity. Packet analysis is such a common element of cybersecurity that it should be included in greater detail within the classroom. 

Why is Packet Analysis Important?
Packet analysis is the methodology we employ to watch what is happening on the network. There is no other capability available to us that allows for deep inspection of packets during an investigation or a speedy first look when monitoring live traffic. Hackers work hard to go undetected, but there are many signs that can alert us when traffic is nefarious. The key to recognizing these events is to analyze large amounts of traffic and become comfortable with recognizing common user activity. Doing this in the classroom more properly prepares a student for what they will encounter in the real world. An old analogy from the banking industry is applicable to this concept.   

Banks do not train their employees to recognize counterfeit money. The employees handle large volumes of real money and, as a result, they easily recognize if something counterfeit passes through their fingers. It feels a little different; the colors are not quite right, and it does not look like all the other currencies one is used to seeing. We can employ a similar methodology in cybersecurity by instructing students to monitor large amounts of normal network and internet traffic so that the odd traffic stands out. This does not mean that all odd traffic is nefarious; it could simply be something the student has not encountered yet. However, professors should enforce the idea that anything unrecognized should always be investigated further.  

Teaching the Basics
The first thing students should be trained to recognize is the common protocols used on the internet. There are many different protocols used for accessing web pages, sending emails, establishing secure and insecure remote connections, conducting online meetings, and conducting many other online activities. Students should be taught how to recognize when each of these protocols is in use, how to differentiate between them and be provided with a baseline of how the protocols should normally interact with servers and clients. Professors need to recognize this as a foundational element of cybersecurity, teach it early in a program, and reinforce it in many different courses.  

Students should also know the port numbers on which the common protocols operate. For example, secure shell, often used as a secure form of connecting to UNIX and Linux-based systems, normally uses TCP port 22. Professors should train students to recognize when someone is attempting to connect to port 22 on a Windows system, as this would be unusual activity. They should also train students to recognize when someone is attempting to connect to secure shell on other ports as this could be indicative of a scanning operation. The same is true for the other common ports and after a student has a good understanding of normal activity, they should also be trained to recognize common hacking methodologies. 

Deterring Hackers Starts with Education
Hackers know that a good security system will be monitored for their activity. Good hackers know how to stay hidden from detection, but untrained hackers who have just begun to dip their toes into this nefarious world tend to set off a lot of alarms with their unrefined methodologies. A student who understands what normal internet traffic looks like will quickly recognize nefarious traffic from untrained hackers because connections will be initiated to every port of a single IP address, or exploits will be attempted against invulnerable systems. These uninitiated hackers are sometimes referred to as script kiddies because they usually fire off scripts that do not apply to their targets and are imagined as teenagers working from the basement of their parent’s homes.   

Well-trained hackers will try to sneak their traffic past an analyst by spacing out their actions with single port scans a few times each minute, hoping that the activity will be masked by all the other normal packets flowing through the network. This can be a very effective strategy if professors fail to teach how to filter traffic and look more closely at each abnormal packet. It is not possible to analyze every packet, but when students understand how to filter out the common connections, they can then spend more time looking at the uncommon to see if any are nefarious. 

The goal here is to train cybersecurity professionals to be packet investigators who know how to locate hackers in action. This is always the goal of cybersecurity—to keep the attacker off the network. Many network devices are configured to save connections in their individual logs, and intrusion detection systems capture even more connections. However, these logs are useless without an analyst reviewing each one. Unfortunately, many new cybersecurity professionals are not well trained in this arena, and they arrive at their new jobs unprepared for this task. We need to do a better job in higher education at teaching packet analysis because it is the core skill needed to find the hacker on the wire and determine the actions they are taking. It is also necessary to determine after a successful attack has penetrated a network to discover what actions were taken by the criminal actors. The more repetitive analysis projects we can provide to students, the more easily they will keep future networks secure.