2016-02-28 - TRAFFIC ANALYSIS EXERCISE - IDEAL VERSUS REALITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive the pcap:  2016-02-28-traffic-analysis-exercise.pcap.zip   13.4 MB (13,437,800 bytes)

 

SCENARIO

What's my definition of a security analyst?  Security analysts are responsible for monitoring their employer's network and providing near-real-time detection of suspicious activity.  Ideally, these analysts have access to intrusion detection systems (IDS) that cover the company's entire infrastructure.  In reality, the situation is less than ideal.

The ideal:  State-of-the-art equipment and monitors everywhere!

 

The reality:  You're a team of one, and your equipment is best described as Salvation Army surplus.

 

Even state-of-the-art facilities have issues.  Many security operations centers (SOCs) don't have access to full packet capture of their network traffic.  Investigating suspicious events can be a problem in these environments.  Without context around an event, you might not be certain of what actually happened.

In this exercise, a computer is infected with malware.  Your challenge, should you choose to accept it, is to figure out what happened based on the network traffic.

 

Shown above:  The pcap for this traffic analysis exercise opened in Wireshark.

 

THE REPORT

As always, you should write a report of your investigation.  The report should include:

• A description of what happened.
• Date and time of the activity.
• IP address, MAC address, and host name of the infected computer.
• A conclusion with recommendations to resolve the issue.

• If possible, try to determine the operating system and some of the applications (browser, etc.) associated with the infection.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.