2015-11-24 - TRAFFIC ANALYSIS EXERCISE - GOOFUS AND GALLANT
- ZIP file of the PCAP: 2015-11-24-traffic-analysis-exercise.pcap.zip 11.7 MB (11,726,615 bytes)
- TXT file of Snort events: 2015-11-24-traffic-analysis-exercise-snort-events.txt 82.4 kB (82,428 bytes)
- TXT file of Suricata events: 2015-11-24-traffic-analysis-exercise-suricata-events.txt 271.6 kB (271,557 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Tom and Jake are recent hires at your organization's Security Operations Center (SOC). Due to their different personalities, they've earned the nickname "Goofus and Gallant" after a cartoon from the magazine Highlights for Children. Tom is Goofus. Jake is Gallant.
The above image was modified from the original at: "Goofus and Gallant - October 1980" by Source (WP:NFCC#4).
Licensed under Fair use of copyrighted material in the context of Highlights for Children via Wikipedia.
On the Tuesday before Thanksgiving, Tom and Jake are working at the SOC. Tom brought his Windows laptop to the office, and he plans to browse the web. Jake is hard at work reviewing alerts.
Shown above: For copyright purposes, this image should be considered satire.
Jake's holiday plans are set, and he's happy with the frozen turkey he'd purchased from the supermarket. Tom's more of a "turkey enthusiast." He wants to hunt and kill a turkey for his Thanksgiving meal.
In order to pursue his holiday plans, Tom decides to purchase a shotgun. He fires up his Windows laptop, connects to the SOC's wifi, and starts researching shotguns online.
It's not long before Tom's computer triggers some alerts for suspicious network activity. After those alerts, his laptop crashes!
Shown above: Screenshot of Tom's computer crashing.
You're the supervisor for both Goofus and Gallant. The goofus Tom will likely be fired at some point due to his poor work ethic. Jake is certainly gallant, but he's still a relatively inexperienced analyst. You'll have to figure out what happened to Tom's laptop.
You check Tom's machine and quickly find a suspicious registry entry. It looks like Goofus infected his laptop. The SHA256 hash for the file referenced in the registry is: d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2
Shown above: Registry entry from the infected Windows laptop.
Next you review the network alerts. Unfortunately, your organization is too cheap for any commercial intrusion detection system (IDS). Fortunately, lower-cost solutions have been implemented. You have access to Snort alerts using the Snort registered ruleset. You also have access to Suricata alerts using the EmergingThreats free ruleset.
Shown above: Snort events on the traffic using Snort 18.104.22.168 and the Snort Registered ruleset.
Shown above: Suricata events on the traffic using Sguil on Security Onion with the EmergingThreats ruleset.
You were able to retrieve a pcap of network traffic to Tom's laptop. You'll need to do a report. At a minimum, your report should include:
- Date and approximate time of the infection.
- The infected computer's IP address.
- The infected computer's MAC address.
- The infected computer's host name.
- What caused the infection
- Click here for the answers.
As always, the ZIP files are password-protected with the standard password. If you don't know it, email me at firstname.lastname@example.org and ask.
Click here to return to the main page.