2015-08-07 - TRAFFIC ANALYSIS EXERCISE - SOMEONE WAS FOOLED BY A MALICIOUS EMAIL

TRAFFIC:

 

SCENARIO

You're an analyst at a Brazilian manufacturing corporation named World of Widgets.  On Wednesday 2015-08-05, you see the following alerts while working at the corporation's Security Operations Center (SOC):

 

You track these alerts to a Windows computer at IP address 192.168.137.113.  Authentication logs indicate the computer is used by someone named Degrando Rustlyn.

Your team contacts Degrando, who remembers opening a questionable email around the time his computer became infected.  Degrando deleted the message, and he can't remember which email it was or how he got any suspicious files to his desktop.

You retrieve a pcap of traffic for the timeframe of the alerts.  You also retrieve HTTPS traffic logs for that IP address.  Another analyst searches the company's mail servers and retrieves four malicious emails that might be related.

 

YOUR TASK

You now have:  1) a pcap of the traffic,  2) HTTPS traffic logs,  3) a collection of artifacts from that HTTPS traffic, and  4) malicious emails Degrando received during that timeframe.

Your task?  Figure out how the computer became infected and document your findings.  Your report should include:

 

NOTE:  A well-written incident report starts with an executive summary.  The executive summary desribes what happened in a concise narrative (prefferably one or two sentences, three at most).  Details are included in the report after the executive summary, hopefully in an organized manner that's easy for the reader to follow.

 

ANSWERS