2015-11-06 - TRAFFIC ANALYSIS EXERCISE - EMAIL ROULETTE

ASSOCIATED FILES:

• ZIP file of the PCAP:  2015-11-06-traffic-analysis-exercise.pcap.zip   5.2 MB (5,211,550 bytes)
• ZIP file of the emails:  2015-11-06-traffic-analysis-exercise-emails.zip   103.6 kB (103,559 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

SCENARIO

You're working as an analyst at a Security Operations Center (SOC) for a Thanksgiving-themed company.

One quiet evening, you hear someone knocking at the SOC entrance.  As you answer the door, an exhausted mail server technician stumbles in and quickly falls to the floor.  He whispers in a shaky voice, "Mail filters are down...  Spam everywhere..."

As you help him up, he looks to the sky and yells, "The gates of hell have opened!"

The technician immediately collapses again and softly whispers, "The horror...  The horror..."

The mail filter outage lasted throughout the next day.  Fortunately, very few incidents were reported.  But one example caught your eye.

During the mail filter outage, one of the company employees decided to play "email roulette."  The employee opened one of the malicious emails from his inbox and treated it as a legitimate message.

 

YOUR ASSIGNMENT

You've acquired four malicious messages the employee received.  You also received a pcap of traffic from his infected computer.  Your task?  Figure out which email was used to infected his computer.

 

REPORTING

Be as detailed as you like.  At a minimum, your report should include the following:

• Date and approximate time of the infection.
• The infected computer's IP address.
• The infected computer's MAC address.
• The infected computer's host name.
• Which email the employee opened.

 

ANSWERS

• Click here for the answers.

Click here to return to the main page.