2016-02-06 - TRAFFIC ANALYSIS EXERCISE - NETWORK ALERTS AT CUPID'S ARROW ONLINE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive the pcap: 2016-02-06-traffic-analysis-exercise.pcap.zip 8.8 MB (8,838,133 bytes)
- Zip archive of the malspam, Snort/Suricata logs, and spreadsheet with employee info: 2016-02-06-traffic-analysis-exercise-emails-and-alerts.zip 48.0 kB (47,966 bytes)
SCENARIO
You recently hired on as a security analyst for Cupid's Arrow Online, the largest online retailer for novelty arrows world-wide. Apparently, novelty arrows are lucrative enough the company can afford to staff its Security Operations Center (SOC) 24 hours a day, 7 days a week.
Shown above: One of your employer's ads.
Unfortunately, it's after normal work hours, and you're the only person reviewing network events. You silently curse your coworker Sven, who called in sick this evening. Maybe it's for the best, though. Strange things tend to happen whenever Sven is around.
Show above: Sven on a good day.
Later, you see alerts on suspicious activity. Time to investigate!
You identify the IP address and pull the associated traffic, along with the Snort and Suricata event logs. You were already examining some malicious emails that made it through the spam filter, so you have those items on hand. Finally, you retrieved a list of people on the network during the timeframe of these alerts (you might have to contact them about this activity).
THE REPORT
You'll need to write a report for your investigation. The report should include:
- A summary of what happened. Be sure to include the affected employee's name and position in the company.
- Date and time of the activity.
- IP address, MAC address, and host name of the computer that was involved.
- A conclusion with recommendations for any follow-up actions, if required.
ANSWERS
- Click here for the answers.
Click here to return to the main page.