Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL dashboard.
computer science
Description
Skills Assessment
Introduction
Working as the security analyst for ACME Inc., you notice
a number of events on the SGUIL dashboard. Your task is to analyze these events,
learn more about them, and decide if they indicate malicious activity.
You will have access to Google to learn more about the
events. Security Onion is the only VM with Internet access in the Cybersecurity
Operations virtual environment.
The tasks below are designed to provide some guidance
through the analysis process.
You will practice and be assessed on the following skills:
o
Evaluating Snort/SGUIL events.
o
Using SGUIL as a pivot to launch ELSA, Bro and
Wireshark for further event inspection.
o
Using Google search as a tool to obtain
intelligence on a potential exploit.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/
and is used with permission. We are grateful for the use of this material.
Addressing
Table
The following addresses are preconfigured on the network
devices. Addresses are provided for reference purposes.
|
Device |
Interface |
Network/Address |
Description |
|
Security Onion VM |
eth0 |
192.168.0.1/24 |
Interface connected to the Internal Network |
|
eth2 |
209.165.201.21/24 |
Interface connected to the External Networks/Internet |
Part 1: Gathering
Basic Information
a.
Log into Security Onion VM using with the
username analyst and password cyberops.
b.
Open a terminal window. Enter the sudo service nsm status command to
verify that all the services and sensors are ready.
c.
When the nsm service is ready, log into SGUIL
with the username analyst and
password cyberops. Click Select All to monitor all the networks.
Click Start SQUIL to continue.
d.
In the SGUIL window, identify the group of
events that are associated with exploit(s). This group of events are related to
a single multi-part exploit.
How many events were generated by the entire exploit?
____________________________________________________________________________________
____________________________________________________________________________________
e.
According to SGUIL, when did the exploit begin?
When did it end? Approximately how long did it take?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
f.
What is the IP address of the internal computer
involved in the events?
____________________________________________________________________________________
g.
What is the MAC address of the internal computer
involved in the events? How did you find it?
____________________________________________________________________________________
h.
What are some of the Source IDs of the rules
that fire when the exploit occurs? Where are the Source IDs from?
____________________________________________________________________________________
i.
Do the events look suspicious to you? Does it
seem like the internal computer was infected or compromised? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
j.
What is the operating system running on the internal
computer in question?
____________________________________________________________________________________
Part 2: Learn About the Exploit
a.
According to Snort, what is the exploit kit (EK)
in use?
____________________________________________________________________________________
b.
What is an exploit kit?
____________________________________________________________________________________
c.
Do a quick Google search on ‘Angler EK’ to learn
a little about the fundamentals the exploit kit. Summarize your findings and
record them here.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
d.
How does this exploit fit the definition on an
exploit kit? Give examples from the events you see in SGUIL.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
e.
What are the major stages in exploit kits?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
