2017-06-28 - TRAFFIC ANALYSIS EXERCISE - INFECTION AT THE JAPAN FIELD OFFICE

ASSOCIATED FILES:

All ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

You work as a security analyst for a company with locations world-wide, and it recently opened a field office in Japan.


Shown above:  It's a very small office in Tokyo, so you might have a hard time finding it.

 

On Tuesday 2017-06-27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS).  One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata using the EmergingThreats Pro ruleset.

The results indicate a Windows computer was infected at your company's Japan field office.  You are tasked to investigate!  You have the pcap, a text file containing the Snort alerts, and a text file containing the Suricata alerts.

For this traffic analysis exercise, please answer the following questions:

Note:  Times for the Suricata alerts are not correct, because they were generated using tcpreplay some hours after the original infection.

 

You feel bad for the businessman who infected his computer at the company's Japan field office.  Rumor has it he's been forced to use a tablet while his computer is getting fixed.


Shown above:  Using a tablet for work is often frustrating.

 

ANSWERS

 

Click here to return to the main page.