2015-02-15 - TRAFFIC ANALYSIS EXERCISE: DOCUMENTING A NUCLEAR EXPLOIT KIT (EK) INFECTION

NOTICE:

PCAP:

 

SCENARIO

You're working as an analyst at your organization's Security Operations Center (SOC).  One of the other analysts is investigating an alert for Nuclear exploit kit (EK).  This activity happened at your UK office.  Fortunately, that location has full packet capture, and the analyst retrieved a pcap of network traffic from the associated IP address.

The analyst reviewed the pcap and found what triggered the snort alert.  Unfortunately, the analyst cannot determine if the computer at your UK location was infected.  You've been asked to take a look.

 

You review the pcap and check the other analyst's report.  First, you double-check the following:

 

Traffic indicates the user was web browsing.  With this in mind, you try to determine:

 

FIRST DECISION POINT

1)  After looking at the pcap, you know what happened.  You make any neccessary corrections to the other analyst's report.

 

2)  You need more information!  What alerts were seen from that computer's IP address?  With a determined look on your face, you access Sguil on Security Onion to look for those alerts.  (Yeah, that's right.  Your organization uses Security Onion).

 

Click here to exit this exercise and return to the main page.