2015-02-15 - TRAFFIC ANALYSIS EXERCISE

PCAP:

• ZIP - pcap of the traffic:  2015-02-15-traffic-analysis-exercise.pcap.zip

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

You're working as an analyst at your organization's Security Operations Center (SOC).  One of the other analysts is investigating a snort alert for Nuclear exploit kit (EK).  This activity happened at your UK office.  Fortunately, that location has full packet capture, and the analyst retrieved a pcap of network traffic from the associated IP address.

The analyst reviewed the pcap and found what triggered the snort alert.  Unfortunately, the analyst cannot determine if the computer at your UK location was infected.  You've been asked to take a look.

 

You review the pcap and check the other analyst's report.  First, you double-check the following:

• Date and time of the activity
• IP address of computer
• Host name of computer
• MAC address of computer
• IP address and domain name that generated the Nuclear EK traffic

 

Traffic indicates the user was web browsing.  With this in mind, you try to determine:

• What website the user looked at before the Nuclear EK traffic
• If a malware payload was sent that could possibly infect the user's computer

 

FIRST DECISION POINT

1)  After looking at the pcap, you know what happened.  You make any neccessary corrections to the other analyst's report.

• Click here to see if your findings are accurate.

 

2)  You need more information!  What snort events were seen from that computer's IP address?  With a determined look on your face, you access Sguil on Security Onion to look for those alerts.  (Yeah, that's right.  Your organization uses Security Onion).

• Click here to see the events before you finish your analysis.

 

Click here to exit this exercise and return to the main page.