2016-02-28 - TRAFFIC ANALYSIS EXERCISE - IDEAL VERSUS REALITY
- ZIP archive the PCAP: 2016-02-28-traffic-analysis-exercise.pcap.zip 13.4 MB (13,437,800 bytes)
ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
What's my definition of a security analyst? Security analysts are responsible for monitoring their employer's network and providing near-real-time detection of suspicious activity. Ideally, these analysts have access to intrusion detection systems (IDS) that cover the company's entire infrastructure. In reality, the situation is less than ideal.
The ideal: State-of-the-art equipment and monitors everywhere!
The reality: You're a team of one, and your equipment is best described as "Salvation Army surplus."
Even state-of-the-art facilities have issues. Many security operations centers (SOCs) don't have access to full packet capture of their network traffic. Investigating suspicious events can be a problem in these environments. Without context around an event, you might not be certain of what actually happened.
In this exercise, a computer is infected with malware. Your challenge, should you choose to accept it, is to figure out what happened based on the network traffic.
Shown above: The pcap for this traffic analysis exercise opened in Wireshark.
As always, you should write a report of your investigation. The report should include:
- A description of what happened.
- Date and time of the activity.
- IP address, MAC address, and host name of the infected computer.
- A conclusion with recommendations to resolve the issue.
- If possible, try to determine the operating system and some of the applications (browser, etc.) associated with the infection.
- Click here for the answers.
Click here to return to the main page.