2016-02-06 - TRAFFIC ANALYSIS EXERCISE - NETWORK ALERTS AT CUPID'S ARROW ONLINE
- ZIP archive the above PCAP: 2016-02-06-traffic-analysis-exercise.pcap.zip 8.8 MB (8,838,133 bytes)
- ZIP archive of the malspam, Snort/Suricata logs, and spreadsheet with employee info: 2016-02-06-traffic-analysis-exercise-emails-alerts-etc.zip 46.6 kB (46,628 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You recently hired on as a security analyst for Cupid's Arrow Online, the largest online retailer for novelty arrows world-wide. Apparently, novelty arrows are lucrative enough the company can afford to staff its Security Operations Center (SOC) 24 hours a day, 7 days a week.
Shown above: One of your employer's ads.
Unfortunately, it's after normal work hours, and you're the only person reviewing network events. You silently curse your coworker Sven, who called in sick this evening. Maybe it's for the best, though. Strange things tend to happen whenever Sven is around.
Show above: Sven on a good day.
Later, you see alerts on suspicious activity. Time to investigate!
You identify the IP address and pull the associated traffic, along with the Snort and Suricata event logs. You were already examining some malicious emails that made it through the spam filter, so you have those items on hand. Finally, you retrieved a list of people on the network during the timeframe of these alerts (you might have to contact them about this activity).
You'll need to write a report for your investigation. The report should include:
- A summary of what happened. Be sure to include the affected employee's name and position in the company.
- Date and time of the activity.
- IP address, MAC address, and host name of the computer that was involved.
- A conclusion with recommendations for any follow-up actions, if required.
- Click here for the answers.
Click here to return to the main page.