|20-CS-[51|60]55||Cyber Defense Overview||Fall 2018|
PCAP Forensic Examination of Attack
Due: 4 October, 2018 (Submission instructions are here)
You are responsible for protecting the network of The Company. The Company owns the 256-address network in the 192.168.6.x IP address ranges (CIDR 192.168.6.0/24). A gateway has been installed at 192.168.6.1 which provides direct Internet access to the rest of the hosts at The Company. This gateway is configured to handle all email for The Company as well as where The Company hosts its primary website.
One morning, you have been informed by authorities that an unidentified system on the Internet has been suspected of intruding upon your network from the IP address 192.168.5.55. As The Company's gatway is relatively new, adequate application & service logging on the server has not been configured. However, you have network traffic monitoring and collection equipment installed at The Company, and the authorities provided you with a window of time of the suspect activity. Your network team was able to successfully recover the PCAP of the attack. This will be the only information you will have to determine the attack.
You will need to write a report documenting the event, breaking the steps of the attack into Cyber Kill Chain phases, per the definitions from the Lockheed Martin (LMCO) whitepaper. Credit will be given for thoroughly documenting the attack steps from beginning to end, however credit will not be subtracted due to semantic mistakes such as documenting a step inside the wrong Kill Chain phase.
The captured attack begins with reconnaissance operations and continues all the way through the Actions on Objectives phase (which consists of some data theft from a single target). There is only one attacker and one internal victim host at The Company. You must identify both of these in your report. If there are any files stolen, you should recover those files and provide them with your report. If any file or malware artifacts are delivered to The Company, you should also provide them as supplements to the report.
The packet capture (PCAP File) for the attack: lab3.pcap
Videos showing how to use squert, sguil, elsa, and other analysis tools is at https://www.youtube.com/watch?v=ymSt6h6BcGo. The version of Security Onion used in the videos is old but still useful.
To get started on this lab see lab.pdf. This is the first two pages of a complete 9 page report.
Here is a version of Security Onion that is ready to go: Onion_2.ova. Open virtualbox click the File menu and select 'import appliance'. Choose this ova file. Run through the dialog boxes without changing anything. Then finish. User account is onion. All passwords are onion. sudo su in the onion account switches to root.
Use tcpreplay like this, for example:
sudo tcpreplay -ieth0 -M10 -twhether eth0 should be changed to your interface. The -t switch is to make tcprelay operate at full speed.
Note: Download security-onion.txt for information about tools in security onion and links to articles and videos that will help you better understand the services offered by security onion.
Submission instructions are here.