2015-11-24 - TRAFFIC ANALYSIS EXERCISE - GOOFUS AND GALLANT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2015-11-24-traffic-analysis-exercise.pcap.zip   11.7 MB (11,726,282 bytes)

• 2015-11-24-traffic-analysis-exercise.pcap   14.5 MB (14,476,313 bytes)

• Zip archive of the IDS events:  2015-11-24-traffic-analysis-exercise-IDS-events.zip   24.1 kB (24,089 bytes)

• 2015-11-24-traffic-analysis-exercise-snort-events.txt   82.4 kB (82,440 bytes)
• 2015-11-24-traffic-analysis-exercise-suricata-events.txt   271.6 kB (271,561 bytes)

 

THE PLAYERS

Tom and Jake are recent hires at your organization's Security Operations Center (SOC).  Due to their different personalities, they've earned the nickname "Goofus and Gallant" after a cartoon from the magazine Highlights for Children.  Tom is Goofus.  Jake is Gallant.

The above image was modified from the original at:  "Goofus and Gallant - October 1980" by Source (WP:NFCC#4).
Licensed under Fair use of copyrighted material in the context of Highlights for Children via Wikipedia.

 

THE STORY

On the Tuesday before Thanksgiving, Tom and Jake are working at the SOC.  Tom brought his Windows laptop to the office, and he plans to browse the web.  Jake is hard at work reviewing alerts.

Shown above:  For copyright purposes, this image should be considered satire.

 

Jake's holiday plans are set, and he's happy with the frozen turkey he'd purchased from the supermarket.  Tom's more of a "turkey enthusiast."  He wants to hunt and kill a turkey for his Thanksgiving meal.

In order to pursue his holiday plans, Tom decides to purchase a shotgun.  He fires up his Windows laptop, connects to the SOC's wifi, and starts researching shotguns online.

It's not long before Tom's computer triggers some alerts for suspicious network activity.  After those alerts, his laptop crashes!

Shown above:  Screenshot of Tom's computer crashing.

 

THE AFTERMATH

You're the supervisor for both Goofus and Gallant.  The goofus Tom will likely be fired at some point due to his poor work ethic.  Jake is certainly gallant, but he's still a relatively inexperienced analyst.  You'll have to figure out what happened to Tom's laptop.

You check Tom's machine and quickly find a suspicious registry entry.  It looks like Goofus infected his laptop.  The SHA256 hash for the file referenced in the registry is:  d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2

Shown above:  Registry entry from the infected Windows laptop.

 

Next you review the network alerts.  Unfortunately, your organization is too cheap for any commercial intrusion detection system (IDS).  Fortunately, lower-cost solutions have been implemented.  You have access to Snort alerts using the Snort registered ruleset.  You also have access to Suricata alerts using the EmergingThreats free ruleset.

Shown above:  Snort events on the traffic using Snort 2.9.7.6 and the Snort Registered ruleset.

 

Shown above:  Suricata events on the traffic using Sguil on Security Onion with the EmergingThreats ruleset.

 

REPORTING

You were able to retrieve a pcap of network traffic to Tom's laptop.  You'll need to do a report.  At a minimum, your report should include:

• Date and approximate time of the infection.
• The infected computer's IP address.
• The infected computer's MAC address.
• The infected computer's host name.
• What caused the infection

 

ANSWERS

• Click here for the answers.

Click here to return to the main page.