2015-02-08 - TRAFFIC ANALYSIS EXERCISE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP:
- ZIP of a PCAP for the traffic: 2015-02-08-traffic-analysis-exercise.pcap.zip
FIRST DECISION POINT - YOU DON'T NEED ANY ADDITIONAL INFO. YOUR SUMMARY IS COMPLETE!
Load the pcap in wireshark. Hopefully, you've set it up as I've described in my tutorial here. Use http.request for the filter and see what we've got:
A Google search on the domain names will indicate what's going on. You'll find a submission to malwr.com that shows the same network traffic (under the "Network Analysis" section). You'll also find a blog entry on TechHelpList.com discussing the same URLs from the pcap.
With that information, you might not need the EmergingThreats events generated by running the pcap through Snort or Security Onion:
ANSWERS
An incident report of the activity should also include a technical details section after the short summary. It would have all URLs, domains, IP addresses, and other malicious traffic associated with the incident.
FIRST DECISION POINT - ALTERNATE CHOICE
- The other analyst researching this incident? That analyst found the email associated with this infection. If you want to update your report, click here to see what the analyst found.
FINAL NOTES IF YOU CHOSE TO STOP HERE
- You figure you've got everything from an incident response perspective, and you're right. No need to go the extra mile. Let that suckup Bob get the extra recognition. You've got more imporant things to do!
- But seriously, finishing the report now is not necessarily bad, especially if you've got other suspicious events to investigate. Spend too much time on one incident, and you might miss another infected computer.
Click here to return to the main page.