2016-03-30 - TRAFFIC ANALYSIS EXERCISE - MARCH MADNESS
- ZIP archive with a PCAP of the traffic: 2016-03-30-traffic-analysis-exercise.pcap.zip 6.4 MB (6,409,216 bytes)
ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You've received kudos for your work at the Security Operations Center (SOC) for Cupid's Arrow Online (if you don't remember, click here). Unfortunately, the company went bankrupt! Turns out the novelty arrow market isn't sustainable. Your former employer experienced a massive drop in sales after Valentine's day, and the company never recovered.
Oh well, you think to yourself. You didn't like working there with Sven anyway.
And I guess I'm never getting those chocolate arrows I ordered, either.
Lucky for you, the former owners of Cupid's Arrow Online offered you work as a SOC analyst at their new venture, a March madness-related enterprise. You're not so easily fooled by that business model, but you need something to pay the bills. You're still waiting on an offer (any offer) from one of several prospective (and hopefully legitimate) employers.
Something tells us your current employer won't last long.
Your job at this "March madness" enterprise isn't as glamorous as your previous SOC. You're usually the only person on watch at any given time. Fortunately, you have some network monitoring capability, and you sometimes get full packet capture from a specific IP when investigating suspicious events.
One afternoon, you notice some alerts, so you filter on a specific IP address and find the following:
Lots of "red" alerts on that IP... This doesn't look good.
TIME TO WRITE A REPORT
You've got a pcap of the network traffic from that IP address. Now you must document your investigation. The report should include:
- Date and time of the suspicious activity.
- IP address, MAC address, and host name of the computer that was involved.
- A summary of what happened.
- A conclusion with recommendations for any follow-up actions, if required.
- Click here for the answers.
Click here to return to the main page.