Security Incident Report

KEY INFORMATION

Due: Sunday 3rd October by 8pm

Weight: 20% of total mark for this unit

Approximate length: 3 to 4 pages long depending on length and quality

Individual Assessment

PURPOSE

Throughout this unit we learn about different protocols used in networks and how they are used by attackers. In this assessment task you will conduct an analysis of captured network traffic using the tools of Security Onion. You are asked to demonstrate your understanding of abnormal protocol behaviour by preparing a security incident report explaining a malware attack.

Task(s)

The network traffic that we will be examining for this task can be found at:

On this page you will find a password protected ZIP file containing the PCAP file (the password is ‘infected’). Download this PCAP file and import it into Security Onion (read Importing PCAP Hints below first). Upon importing, you will see the following events in Sguil:

The above security alerts include a total of 14 different TCP exchanges, as follows:

  1. 10.3.162.105:62612 – 149.3.144.218:80 (IDs* 3.21, 3.33)
  2. 10.3.162.105:62632 – 68.178.254.108:80 (ID* 3.71)
  3. 10.3.162.105:62637 – 91.200.14.95:80 (IDs* 3.75, 3.77, 3.79, 3.81, 3.82)
  4. 10.3.162.105:62638 – 46.249.199.41:80 (IDs* 3.83, 3.84, 3.85, 3.86, 3.88)
  5. 10.3.162.105:62640 – 37.140.192.238:80 (IDs* 3.109)
  6. 10.3.162.105:62641 – 178.208.83.15:80 (IDs* 3.115, 3.127, 3.114)
  7. 10.3.162.105:62643 – 109.120.189.60:80 (ID* 3.141)
  8. 10.3.162.105:62717 – 205.234.186.115:80 (ID* 3.204)
  9. 10.3.162.105:62769 – 23.15.4.18:80 (ID* 3.246)
  10. 10.3.162.105:62869 – 61.65.90.109:80 (ID* 3.298)
  11. 10.3.162.105:62872 – 61.65.90.109:80 (ID* 3.299)
  12. 10.3.162.105:62947 – 5.35.235.167:80 (IDs* 3.302, 3.303)
  13. 10.3.162.105:63000 – 37.76.209.224:80 (ID* 3.305)
  14. 10.3.162.105:63158 – 189.140.46.92:80 (ID* 3.318)

* Depending on the version of Security Onion the ID numbers shown above may vary. You should still be able to identify the relevant TCP exchanges and IDs by matching the IP addresses (Src IP and Dst IP columns) and port numbers (SPort and DPort) and the message text (Event Message).

Note that on the page you download this PCAP file from there is also a link at the bottom of the page “to help you get the answers” – this page contains a number of hints you may wish to check (note that you won’t need all the information on this page – you may not need any of it!)

In this task, you will play the role of a member of the IT support group for an organisation who has observed a malware attack (the packet capture) and it’s your task is to conduct an analysis of the malware attack and prepare a report addressing the points indicated below. The requirements are as follows (you must use the headings indicated):

  1. Introduction: (<1 page):
    • Provide a general overview of the attack
    • Explaining how the attack began and identify major steps in the malware attack.
  2. The Cyberattack (<2 pages):
  3. Out of the 14 TCP exchanges identified above, select two activities; one of which that demonstrates an apparently successful activity and a second one that is an apparent failed activity by the malware (note that multiple malware/ programs are involved). For each of your selected exchanges:
    1. List the related security events and explain what the associated log messages provided by Security Onion are telling you;
    2. Describe the content and identify malware payloads where relevant, and discuss the purpose of the exchange in the overall context of the attack;
    3. Identify whether this was a successful or unsuccessful step in the attack and explain why.
  4. Recommended actions and training:
  5. Using an instructional wording, explain to the users of the organisation what actions they should take to eliminate this malware infection and what actions they should take in the future to avoid falling victim to such an infection.
  6. Conclusions and Recommendations
  7. Provide a general summary / conclusion for your report by discussing the potential damage that could be inflicted by such an event. Your discussion of potential damage should focus on the malware you examined in Section 2.

obtaining and IMPORTING THE PCAP INTO SECURITY ONION

There are three options for completing this assessment:

  1. VMLab is already available to you.
  2. A pre-built VM is already available to you.
  3. Using your own copy of Security Onion.

If you are using either VMLab or the pre-built VM, a copy of the malware can be found in the location: /media/student/Disc/2015-05-29-traffic-analysis-exercise.pcap

Instructions for downloading a copy of this malware into your own Security Onion VM are provided below.

To successfully import the PCAP into Security Onion, you will need to complete the following steps1:

  1. If using VMLab, login, create, and enter the booking.
  2. If using VirtualBox, then start VirtualBox and boot Security Onion.
  3. Once Security Onion has booted, open a Terminal window and enter the following command to stop Security Onion’s services and configure the correct timezone:

sudo so-stop

  1. We now need to configure Security Onion to keep event logs for longer by entering the command:

sudo gedit /etc/nsm/securityonion.conf

About five lines down, check that the DAYSTOKEEP variable is set to the value 9999, i.e.,

DAYSTOKEEP=9999

Save the file and exit the editor.

  1. If using your own VirtualBox VM, you should download the packet capture now.
  2. Restart Security Onion’s services by entering the command:

sudo so-start

  1. Load the packet capture into Security Onion by entering the command:

DOWNLOADING THE PCAP INTO YOUR OWN SECURITY ONION VM

Downloading the PCAP file into Security Onion should only be completed as part of Step 5 in the previous section. At this point, the Security Onion services are stopped and we can temporarily reconfigure the network to download the capture, as follows:

  1. Edit the Security Onion’s VM settings and change the first adapter from Internal to NAT.
  2. Switch the network over to access the public Internet by entering the commands:

sudo ifdown enp0s3

sudo dhclient enp0s3

  1. Open the web browser inside Security Onion and download the ZIP file from:

  1. Change the network back to the static IP address by entering the commands:

sudo dhclient -r enp0s3

sudo ifup enp0s3

  1. Edit the Security Onion’s VM settings and change the first adapter from NAT back to Internal.
  2. Locate and unzip the PCAP file (the password is ‘infected’) – this can be done either through the file browser or by using the command:

  1. (Suggested) This is an ideal time to take a snapshot of the VM to ensure you can rewind to this point at any time (you can delete the snapshot after you finish the assignment!)

Load Sguil and check that you have the same list of events as shown at the start of this assignment question (sort by date/time if needed, noting that the IDs may be different as discussed above). If your event list appears to be significantly different, double check that you have downloaded and imported the correct PCAP file (analysing the wrong file will lead to zero marks).

Submission Details

Your report should be submitted via CloudDeakin to the TurnItIn-enabled Assignment Folder for the Security Incident Report. Your report must have appropriate headings as indicated in the requirements above. Acceptable file formats are Word documents, PowerPoint documents, PDF documents, text and rich text files, and HTML. Compressed files, such as ZIP files or RAR files are not accepted and will not be marked.

After submitting your assignment you should receive an email to your Deakin email address confirming that it has been submitted. You should check that you can see your assignment in the Submissions view of the Assignment folder after upload, and check for, and keep, the email receipt for the submission.



Academic Misconduct

Academic misconduct and plagiarism is subjected to penalties.

Plagiarism includes and not limited to:

  • Copying others’ work without appropriate referencing
  • Re-using assignment material completed by other students
  • Contracting others to do assessment tasks on your behalf.



Learning Outcomes

This assignment assesses the following Graduate Learning Outcomes (GLO) and related Unit Learning Outcomes (ULO):

Graduate Learning Outcome (GLO) Unit Learning Outcome (ULO)
GLO1: Discipline-specific knowledge and capabilities: appropriate to the level of study related to a discipline or profession. ULO3: You will be required to conduct an analysis of captured network traffic and prepare a formal incident report explaining what happened in detail.
GLO4: Critical Thinking: evaluating information using critical and analytical thinking and judgement.

Extensions

No extensions will be considered for this assessment unless a request is submitted through the CloudDeakin and approved by the Unit Chair (enter SIT716 unit page and click Assessment -> Extension request). Assignment Extensions are normally only approved when students apply before the due date. The Unit Chair may ask you to supply supporting documentation about the difficulties you are facing, and evidence of the work you have completed so far.

A marking penalty will be applied where the assessment task is submitted after the due date without an approved extension as follows:

  1. 5% will be deducted from available marks for each day up to five days
  1. where work is submitted more than five days after the due date, the task will not be marked and the student will receive 0% for the task.

‘Day’ means working day for paper submissions and calendar day for electronic submissions.

(This assessment task uses electronic submission)

SIT716 Computer Networks and Security

No Comment.