2015-02-08 - TRAFFIC ANALYSIS EXERCISE: MIKE'S COMPUTER IS "ACTING WEIRD"
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP:
- 2015-02-08-traffic-analysis-exercise.pcap.zip 1.9 MB (1,937,094 bytes)
SCENARIO
Mike calls the Help Desk and says his desktop computer is "acting weird" but he refuses to provide any details. The Help Desk reports it to your organization's Security Operations Center (SOC). A phone call to Mike doesn't reveal any details. He insists his computer is "acting weird" but will not say what, exactly, is wrong.
One of the SOC analysts searched through network traffic and retreived a pcap related to this activity. This traffic occurred shortly before Mike called the Help Desk. The analyst cannot figure out what happened, so you've been asked to take a look.
You review the pcap and take notes. First, you document the following:
- Date and time of the activity
- IP address of Mike desktop computer
- Host name of Mike's desktop computer
- MAC address of Mike's desktop computer
Based on the traffic, what happened? You might recognize the activity from entries you've read on www.malware-traffic-analysis.net or other blogs. If possible, you'll want to run the pcap through Security Onion or a Snort setup using the EmergingThreats signature set.
FIRST DECISION POINT
1) After analyzing the traffic, you call Mike and tell him what you think has happened. Mike confirms your assessment, and he's somewhat embarrassed by his actions. The SOC follows established procedures to handle the incident, and you draft a report. Case closed! You're back on the hunt, reviewing more IDS events for the rest of your 12-hour shift. (Only 11 hours left!)
- click here to see if your summary is accurate.
2) You're not happy with the analysis you've done so far. Fortunately, another analyst was also researching the activity and found some additional information.
- click here to continue working on your report with the additional information.
Click here to return to the main page.