Security Incident Report
Due:Â Sunday 3rdÂ October by 8pm
Weight:Â 20% of total mark for this unit
Approximate length:Â 3 to 4 pages long depending on length and quality
Throughout this unit we learn about different protocols used in networks and how they are used by attackers. In this assessment task you will conduct an analysis of captured network traffic using the tools of Security Onion. You are asked to demonstrate your understanding of abnormal protocol behaviour by preparing a security incident report explaining a malware attack.
The network traffic that we will be examining for this task can be found at:
On this page you will find a password protected ZIP file containing the PCAP file (the password is â€˜infectedâ€™). Download this PCAP file and import it into Security Onion (read Importing PCAP Hints below first). Upon importing, you will see the following events in Sguil:
The above security alerts include a total of 14 different TCP exchanges, as follows:
- 10.3.162.105:62612 â€“ 184.108.40.206:80 (IDs*Â 3.21, 3.33)
- 10.3.162.105:62632 â€“ 220.127.116.11:80 (ID*Â 3.71)
- 10.3.162.105:62637 â€“ 18.104.22.168:80 (IDs*Â 3.75, 3.77, 3.79, 3.81, 3.82)
- 10.3.162.105:62638 â€“ 22.214.171.124:80 (IDs*Â 3.83, 3.84, 3.85, 3.86, 3.88)
- 10.3.162.105:62640 â€“ 126.96.36.199:80 (IDs*Â 3.109)
- 10.3.162.105:62641 â€“ 188.8.131.52:80 (IDs*Â 3.115, 3.127, 3.114)
- 10.3.162.105:62643 â€“ 184.108.40.206:80 (ID*Â 3.141)
- 10.3.162.105:62717 â€“ 220.127.116.11:80 (ID*Â 3.204)
- 10.3.162.105:62769 â€“ 18.104.22.168:80 (ID*Â 3.246)
- 10.3.162.105:62869 â€“ 22.214.171.124:80 (ID*Â 3.298)
- 10.3.162.105:62872 â€“ 126.96.36.199:80 (ID*Â 3.299)
- 10.3.162.105:62947 â€“ 188.8.131.52:80 (IDs*Â 3.302, 3.303)
- 10.3.162.105:63000 â€“ 184.108.40.206:80 (ID*Â 3.305)
- 10.3.162.105:63158 â€“ 220.127.116.11:80 (ID*Â 3.318)
* Depending on the version of Security Onion the ID numbers shown above may vary. You should still be able to identify the relevant TCP exchanges and IDs by matching the IP addresses (Src IPÂ andÂ Dst IPÂ columns) and port numbers (SPortÂ andÂ DPort) and the message text (Event Message).
Note that on the page you download this PCAP file from there is also a link at the bottom of the page â€œto help you get the answersâ€ â€“ this page contains a number of hints you may wish to check (note that you wonâ€™t need all the information on this page â€“ you may not need any of it!)
In this task, you will play the role of a member of the IT support group for an organisation who has observed a malware attack (the packet capture) and itâ€™s your task is to conduct an analysis of the malware attack and prepare a report addressing the points indicated below. The requirements are as follows (you must use the headings indicated):
- Introduction: (<1 page):
- Provide a general overview of the attack
- Explaining how the attack began and identify major steps in the malware attack.
- The CyberattackÂ (<2 pages):
- Out of the 14 TCP exchanges identified above, select two activities; one of which that demonstrates an apparently successful activity and a second one that is an apparent failed activity by the malware (note that multiple malware/ programs are involved). For each of your selected exchanges:
- List the related security events and explain what the associated log messages provided by Security Onion are telling you;
- Describe the content and identify malware payloads where relevant, and discuss the purpose of the exchange in the overall context of the attack;
- Identify whether this was a successful or unsuccessful step in the attack and explain why.
- Recommended actions and training:
- Using an instructional wording, explain to the users of the organisation what actions they should take to eliminate this malware infection and what actions they should take in the future to avoid falling victim to such an infection.
- Conclusions and Recommendations
- Provide a general summary / conclusion for your report by discussing the potential damage that could be inflicted by such an event. Your discussion of potential damage should focus on the malware you examined in Section 2.
obtaining and IMPORTING THE PCAP INTO SECURITY ONION
There are three options for completing this assessment:
- VMLab is already available to you.
- A pre-built VM is already available to you.
- Using your own copy of Security Onion.
If you are using either VMLab or the pre-built VM, a copy of the malware can be found in the location: /media/student/Disc/2015-05-29-traffic-analysis-exercise.pcap
Instructions for downloading a copy of this malware into your own Security Onion VM are provided below.
To successfully import the PCAP into Security Onion, you will need to complete the following steps1:
- If using VMLab, login, create, and enter the booking.
- If using VirtualBox, then start VirtualBox and boot Security Onion.
- Once Security Onion has booted, open a Terminal window and enter the following command to stop Security Onionâ€™s services and configure the correct timezone:
- We now need to configure Security Onion to keep event logs for longer by entering the command:
sudo gedit /etc/nsm/securityonion.conf
About five lines down, check that the DAYSTOKEEP variable is set to the value 9999, i.e.,
Save the file and exit the editor.
- If using your own VirtualBox VM, you should download the packet capture now.
- Restart Security Onionâ€™s services by entering the command:
- Load the packet capture into Security Onion by entering the command:
DOWNLOADING THE PCAP INTO YOUR OWN SECURITY ONION VM
Downloading the PCAP file into Security Onion should only be completed as part of Step 5 in the previous section. At this point, the Security Onion services are stopped and we can temporarily reconfigure the network to download the capture, as follows:
- Edit the Security Onionâ€™s VM settings and change the first adapter from Internal to NAT.
- Switch the network over to access the public Internet by entering the commands:
sudo ifdown enp0s3
sudo dhclient enp0s3
- Open the web browser inside Security Onion and download the ZIP file from:
- Change the network back to the static IP address by entering the commands:
sudo dhclient -r enp0s3
sudo ifup enp0s3
- Edit the Security Onionâ€™s VM settings and change the first adapter from NAT back to Internal.
- Locate and unzip the PCAP file (the password is â€˜infectedâ€™) â€“ this can be done either through the file browser or by using the command:
- (Suggested) This is an ideal time to take a snapshot of the VM to ensure you can rewind to this point at any time (you can delete the snapshot after you finish the assignment!)
Load Sguil and check that you have the same list of events as shown at the start of this assignment question (sort by date/time if needed, noting that the IDs may be different as discussed above). If your event list appears to be significantly different, double check that you have downloaded and imported the correct PCAP file (analysing the wrong file will lead to zero marks).
Your report should be submitted via CloudDeakin to the TurnItIn-enabled Assignment Folder for the Security Incident Report. Your report must have appropriate headings as indicated in the requirements above. Acceptable file formats are Word documents, PowerPoint documents, PDF documents, text and rich text files, and HTML. Compressed files, such as ZIP files or RAR files are not accepted and will not be marked.
After submitting your assignment you should receive an email to your Deakin email address confirming that it has been submitted. You should check that you can see your assignment in the Submissions view of the Assignment folder after upload, and check for, and keep, the email receipt for the submission.
Academic misconduct and plagiarism is subjected to penalties.
Plagiarism includes and not limited to:
- Copying othersâ€™ work without appropriate referencing
- Re-using assignment material completed by other students
- Contracting others to do assessment tasks on your behalf.
This assignment assesses the following Graduate Learning Outcomes (GLO) and related Unit Learning Outcomes (ULO):
|Graduate Learning Outcome (GLO)||Unit Learning Outcome (ULO)|
|GLO1: Discipline-specific knowledge and capabilities: appropriate to the level of study related to a discipline or profession.||ULO3: You will be required to conduct an analysis of captured network traffic and prepare a formal incident report explaining what happened in detail.|
|GLO4: Critical Thinking: evaluating information using critical and analytical thinking and judgement.|
No extensions will be considered for this assessment unless a request is submitted through the CloudDeakin and approved by the Unit Chair (enter SIT716 unit page and click Assessment -> Extension request). Assignment Extensions are normally only approved when students apply before the due date. The Unit Chair may ask you to supply supporting documentation about the difficulties you are facing, and evidence of the work you have completed so far.
A marking penalty will be applied where the assessment task is submitted after the due date without an approved extension as follows:
- 5% will be deducted from available marks for each day up to five days
- where work is submitted more than five days after the due date, the task will not be marked and the student will receive 0% for the task.
â€˜Dayâ€™ means working day for paper submissions and calendar day for electronic submissions.
(This assessment task uses electronic submission)
SIT716 Computer Networks and Security
Explain how religion is used in Fahrenheit 451 and using scripture to support to “end times” reference at the end of the novel.
December 2, 2022
What historical and what new research has been done that refines or refutes the discoveries of Prolactin and HCG Hormones.
December 2, 2022