2015-02-08 - TRAFFIC ANALYSIS EXERCISE

PCAP:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

Mike calls the Help Desk and says his desktop computer is "acting weird" but he refuses to provide any details.  The Help Desk reports it to your organization's Security Operations Center (SOC).  A phone call to Mike doesn't reveal any details.  He insists his computer is "acting weird" but will not say what, exactly, is wrong.

One of the SOC analysts searched through network traffic and retreived a pcap related to this activity.  This traffic occurred shortly before Mike called the Help Desk.  The analyst cannot figure out what happened, so you've been asked to take a look.

You review the pcap and take notes.  First, you document the following:

 

Based on the traffic, what happened?  You might recognize the activity from entries you've read on www.malware-traffic-analysis.net or other blogs.  If possible, you'll want to run the pcap through Security Onion or a Snort setup using the EmergingThreats signature set.

 

FIRST DECISION POINT

1)  Based on your analysis of the traffic, you call Mike and tell him what you think has happened.  Mike confirms your assessment, and he's somewhat embarrassed by his actions.  The SOC follows established procedures to handle the incident, and you draft a report.  Case closed!  You're back on the hunt, reviewing more IDS events for the rest of your 12-hour shift.  (Only 11 hours left!)

 

2)  You're not happy with the analysis you've done so far.  Fortunately, another analyst was also researching the activity and found some additional information.

 

Click here to return to the main page.