2015-02-15 - TRAFFIC ANALYSIS EXERCISE: DOCUMENTING A NUCLEAR EXPLOIT KIT (EK) INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

PCAP:

• 2015-02-15-traffic-analysis-exercise.pcap.zip   1.3 MB (1,284,313 bytes)

 

SCENARIO

You're working as an analyst at your organization's Security Operations Center (SOC).  One of the other analysts is investigating an alert for Nuclear exploit kit (EK).  This activity happened at your UK office.  Fortunately, that location has full packet capture, and the analyst retrieved a pcap of network traffic from the associated IP address.

The analyst reviewed the pcap and found what triggered the snort alert.  Unfortunately, the analyst cannot determine if the computer at your UK location was infected.  You've been asked to take a look.

 

You review the pcap and check the other analyst's report.  First, you double-check the following:

• Date and time of the activity
• IP address of computer
• Host name of computer
• MAC address of computer
• IP address and domain name that generated the Nuclear EK traffic

 

Traffic indicates the user was web browsing.  With this in mind, you try to determine:

• What website the user looked at before the Nuclear EK traffic
• If a malware payload was sent that could possibly infect the user's computer

 

FIRST DECISION POINT

1)  After looking at the pcap, you know what happened.  You make any neccessary corrections to the other analyst's report.

• Click here to see if your initial findings are accurate.

 

2)  You need more information!  What alerts were seen from that computer's IP address?  With a determined look on your face, you access Sguil on Security Onion to look for those alerts.  (Yeah, that's right.  Your organization uses Security Onion).

• Click here to see the events before you finish your analysis.

 

Click here to exit this exercise and return to the main page.