2016-03-30 - TRAFFIC ANALYSIS EXERCISE - MARCH MADNESS

ASSOCIATED FILE:

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

You've received kudos for your work at the Security Operations Center (SOC) for Cupid's Arrow Online (if you don't remember, click here).  Unfortunately, the company went bankrupt!  Turns out the novelty arrow market isn't sustainable.  Your former employer experienced a massive drop in sales after Valentine's day, and the company never recovered.

Oh well, you think to yourself.  You didn't like working there with Sven anyway.


And I guess I'm never getting those chocolate arrows I ordered, either.

 

Lucky for you, the former owners of Cupid's Arrow Online offered you work as a SOC analyst at their new venture, a March madness-related enterprise.  You're not so easily fooled by that business model, but you need something to pay the bills.  You're still waiting on an offer (any offer) from one of several prospective (and hopefully legitimate) employers.


Something tells us your current employer won't last long.

 

Your job at this "March madness" enterprise isn't as glamorous as your previous SOC.  You're usually the only person on watch at any given time.  Fortunately, you have some network monitoring capability, and you sometimes get full packet capture from a specific IP when investigating suspicious events.

One afternoon, you notice some alerts, so you filter on a specific IP address and find the following:


Lots of "red" alerts on that IP...  This doesn't look good.

 

TIME TO WRITE A REPORT

You've got a pcap of the network traffic from that IP address.  Now you must document your investigation.  The report should include:

 

ANSWERS

 

Click here to return to the main page.