2016-10-15 - TRAFFIC ANALYSIS EXERCISE - CRYBABY BUSINESSMAN
- ZIP archive with a PCAP of the traffic: 2016-10-15-traffic-analysis-exercise.pcap.zip 9.2 MB (9,207,913 bytes)
- ZIP archive with the alerts for this traffic: 2016-10-15-traffic-analysis-exercise-alerts.zip 15.6 kB (15,571 bytes)
All ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You've just arrived for an afternoon shift at your company's Security Operations Center (SOC). As you enter the building, you're walking down the main hallway, and you hear someone crying from one of the office rooms nearby.
You follow the noise and find it coming from a fancy office. Poking your head in the door, you see the owner's son sitting at his desk, still crying.
Shown above: The boss's son, who you now think of as "crybaby businessman."
When you ask what's wrong, he replies, "My computer's telling me my files are locked, and I have to pay money to get them back!"
You ask him if he has any backups.
He blinks and replies, "Backwhat?"
You shake your head and say he's out of luck. He cries again and eventually quiets down. He then asks, "How did this happen?"
"Sounds like ransomware," you tell him. "I need to get to work, but I'm one of the SOC analysts here."
He blinks again and says, "Ransomwhat?"
You stare at him for a second then say, "I'm part of the team that monitors network alerts for suspicious activity There's bound to be an alert on what happened. Let me look into it for you."
He pouts, stomps his foot, and says, "I want to know who did this!"
Shown above: This guy really is a crybaby businessman.
While you might not be able to tell him who did it, you can surely figure out how the infection happened. You review the network alerts and see there's only one IP address with anything related to ransomware activity. You query all alerts for his IP address, and you retrieve network traffic from that IP for the appropriate timeframe.
You now have the alerts and the traffic. After reviewing this information, you're ready to write a report to show crybaby businessman what happened. The report should contain the following:
- Date and time of the activity.
- A brief description of what happened to crybaby businessman's computer.
- Click here for the answers.
Click here to return to the main page.