2016-02-28 - TRAFFIC ANALYSIS EXERCISE - IDEAL VERSUS REALITY

ASSOCIATED FILES:

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

What's my definition of a security analyst?  Security analysts are responsible for monitoring their employer's network and providing near-real-time detection of suspicious activity.  Ideally, these analysts have access to intrusion detection systems (IDS) that cover the company's entire infrastructure.  In reality, the situation is less than ideal.


The ideal:  State-of-the-art equipment and monitors everywhere!

 


The reality:  You're a team of one, and your equipment is best described as "Salvation Army surplus."

 

Even state-of-the-art facilities have issues.  Many security operations centers (SOCs) don't have access to full packet capture of their network traffic.  Investigating suspicious events can be a problem in these environments.  Without context around an event, you might not be certain of what actually happened.

In this exercise, a computer is infected with malware.  Your challenge, should you choose to accept it, is to figure out what happened based on the network traffic.

 


Shown above:  The pcap for this traffic analysis exercise opened in Wireshark.

 

THE REPORT

As always, you should write a report of your investigation.  The report should include:

 

ANSWERS

 

Click here to return to the main page.