2015-02-08 - TRAFFIC ANALYSIS EXERCISE
- ZIP of a PCAP for the traffic: 2015-02-08-traffic-analysis-exercise.pcap.zip
NOTE: ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Mike calls the Help Desk and says his desktop computer is "acting weird" but he refuses to provide any details. The Help Desk reports it to your organization's Security Operations Center (SOC). A phone call to Mike doesn't reveal any details. He insists his computer is "acting weird" but will not say what, exactly, is wrong.
One of the SOC analysts searched through network traffic and retreived a pcap related to this activity. This traffic occurred shortly before Mike called the Help Desk. The analyst cannot figure out what happened, so you've been asked to take a look.
You review the pcap and take notes. First, you document the following:
- Date and time of the activity
- IP address of Mike desktop computer
- Host name of Mike's desktop computer
- MAC address of Mike's desktop computer
Based on the traffic, what happened? You might recognize the activity from entries you've read on www.malware-traffic-analysis.net or other blogs. If possible, you'll want to run the pcap through Security Onion or a Snort setup using the EmergingThreats signature set.
FIRST DECISION POINT
1) Based on your analysis of the traffic, you call Mike and tell him what you think has happened. Mike confirms your assessment, and he's somewhat embarrassed by his actions. The SOC follows established procedures to handle the incident, and you draft a report. Case closed! You're back on the hunt, reviewing more IDS events for the rest of your 12-hour shift. (Only 11 hours left!)
- click here to see if your summary is accurate.
2) You're not happy with the analysis you've done so far. Fortunately, another analyst was also researching the activity and found some additional information.
- click here to continue working on your report with the additional information.
Click here to return to the main page.