Due: Sunday 3rd October by 8pm
Weight: 20% of total mark for this unit
Approximate length: 3 to 4 pages long depending on length and quality
Throughout this unit we learn about different protocols used in networks and how they are used by attackers. In this assessment task you will conduct an analysis of captured network traffic using the tools of Security Onion. You are asked to demonstrate your understanding of abnormal protocol behaviour by preparing a security incident report explaining a malware attack.
The network traffic that we will be examining for this task can be found at:
On this page you will find a password protected ZIP file containing the PCAP file (the password is ‘infected’). Download this PCAP file and import it into Security Onion (read Importing PCAP Hints below first). Upon importing, you will see the following events in Sguil:
The above security alerts include a total of 14 different TCP exchanges, as follows:
* Depending on the version of Security Onion the ID numbers shown above may vary. You should still be able to identify the relevant TCP exchanges and IDs by matching the IP addresses (Src IP and Dst IP columns) and port numbers (SPort and DPort) and the message text (Event Message).
Note that on the page you download this PCAP file from there is also a link at the bottom of the page “to help you get the answers” – this page contains a number of hints you may wish to check (note that you won’t need all the information on this page – you may not need any of it!)
In this task, you will play the role of a member of the IT support group for an organisation who has observed a malware attack (the packet capture) and it’s your task is to conduct an analysis of the malware attack and prepare a report addressing the points indicated below. The requirements are as follows (you must use the headings indicated):
There are three options for completing this assessment:
If you are using either VMLab or the pre-built VM, a copy of the malware can be found in the location: /media/student/Disc/2015-05-29-traffic-analysis-exercise.pcap
Instructions for downloading a copy of this malware into your own Security Onion VM are provided below.
To successfully import the PCAP into Security Onion, you will need to complete the following steps1:
sudo gedit /etc/nsm/securityonion.conf
About five lines down, check that the DAYSTOKEEP variable is set to the value 9999, i.e.,
Save the file and exit the editor.
Downloading the PCAP file into Security Onion should only be completed as part of Step 5 in the previous section. At this point, the Security Onion services are stopped and we can temporarily reconfigure the network to download the capture, as follows:
sudo ifdown enp0s3
sudo dhclient enp0s3
sudo dhclient -r enp0s3
sudo ifup enp0s3
Load Sguil and check that you have the same list of events as shown at the start of this assignment question (sort by date/time if needed, noting that the IDs may be different as discussed above). If your event list appears to be significantly different, double check that you have downloaded and imported the correct PCAP file (analysing the wrong file will lead to zero marks).
Your report should be submitted via CloudDeakin to the TurnItIn-enabled Assignment Folder for the Security Incident Report. Your report must have appropriate headings as indicated in the requirements above. Acceptable file formats are Word documents, PowerPoint documents, PDF documents, text and rich text files, and HTML. Compressed files, such as ZIP files or RAR files are not accepted and will not be marked.
After submitting your assignment you should receive an email to your Deakin email address confirming that it has been submitted. You should check that you can see your assignment in the Submissions view of the Assignment folder after upload, and check for, and keep, the email receipt for the submission.
Academic misconduct and plagiarism is subjected to penalties.
Plagiarism includes and not limited to:
This assignment assesses the following Graduate Learning Outcomes (GLO) and related Unit Learning Outcomes (ULO):
|Graduate Learning Outcome (GLO)||Unit Learning Outcome (ULO)|
|GLO1: Discipline-specific knowledge and capabilities: appropriate to the level of study related to a discipline or profession.||ULO3: You will be required to conduct an analysis of captured network traffic and prepare a formal incident report explaining what happened in detail.|
|GLO4: Critical Thinking: evaluating information using critical and analytical thinking and judgement.|
No extensions will be considered for this assessment unless a request is submitted through the CloudDeakin and approved by the Unit Chair (enter SIT716 unit page and click Assessment -> Extension request). Assignment Extensions are normally only approved when students apply before the due date. The Unit Chair may ask you to supply supporting documentation about the difficulties you are facing, and evidence of the work you have completed so far.
A marking penalty will be applied where the assessment task is submitted after the due date without an approved extension as follows:
‘Day’ means working day for paper submissions and calendar day for electronic submissions.
(This assessment task uses electronic submission)
SIT716 Computer Networks and Security
Assessment Task 2: Protocol Demonstration and Report
|Criteria 1a: 10% Introduction: Attack overview and the steps.||All the attacks have been clearly explained with the details. There are no major misunderstandings in the answer.||The steps attack in the attack have been reasonably outlined with appropriate evidence provided. There are no major misunderstandings in the answer.||A basic overview of the attack has been provided with minimally adequate evidence.||The overview of the attack is incomplete or inadequately evidenced.||Question not attempted, has not been evidenced, or is not relevant to the actual attack in the provided capture.|
|The Malware Traffic|
|Criteria 2a+3a: 10% The Cyberattack: List and explain security event logs.||All events listed with good explanations of the Security Onion log messages. There are no major misunderstandings in the answer.||All events listed but there are clear gaps in the explanations of the Security Onion log messages. There are no major misunderstandings in the answer.||All events listed with poor explanations of the Security Onion log messages, or a subset of events listed with good explanations.||A subset of events listed with poor descriptions.||You have not answered the question or there are only minor correct elements in your answer.|
|Criteria 2b+3b: 10% The Cyberattack: Describe the content and discuss its purpose.||Content and malware payloads identified correctly and purpose has been well summarised. There are no major misunderstandings in the answer.||Content and malware identified correctly but there are clear gaps in the summary. There are no major misunderstandings in the answer.||Content and malware identified correctly but the summary is unclear / lacks insight.||Generally poor answer with minimal insight into what is happening.||You have not answered the question or there are only minor correct elements in your answer.|
|Criteria 2c+3c: 10% The Cyberattack: Cyberattack achievements or cause of failure.||Cyberattack achievements or cause of failure explained well. There are no major misunderstandings in the answer.||Clear gaps in the explanation of cyberattack achievements or cause of failure. There are no major misunderstandings in the answer.||Cyberattack achievements or cause of failure somewhat explained but generally unclear.||Minimal insight into the achievements of the cyberattack or cause of failure.||You have not answered the question or there are only minor correct elements in your answer.|
|Recommended actions and training|
|Criteria 4: 15% Conclusions and Recommendations: General summary and potential damage||You have provided a reasonable summary including potential damage. There are no major misunderstandings in the answer.||You have provided a reasonable summary however parts of your answer are unclear. There are no major misunderstandings in the answer.||You have provided a reasonable summary however there are minor gaps or inaccuracies in your discussion of potential damage.||You have provided a reasonable summary however there are significant gaps or inaccuracies in your discussion of potential damage.||You have not addressed the requirements of this component or there are only minor correct elements in your answer.|
|Conclusions and Recommendation|
|Criteria 5: 15% Conclusions and Recommendations: Propose actions to reduce future attacks.||You have described reasonable actions to be undertaken and explained how they would reduce the likelihood of such attacks. There are no major misunderstandings in the answer.||You have described reasonable actions however it is unclear how these actions would result in a lower likelihood of such attacks. There are no major misunderstandings in the answer.||You have described actions which would result in a lower likelihood of attacks there are minor gaps or inaccuracies in your description/explanation.||You have described some actions and mostly explained how they would result in a lower likelihood of attacks, however you have missed obvious actions which would have more a more significant impact.||You have not addressed the requirements of this component or there are only minor correct elements in your answer.|
1 Note that failing to follow Steps 3-6 is the most common mistake by students. If you don’t complete these steps then you will often see error messages and/or an apparent lack of response from Sguil when trying to view transcripts or loading events into Wireshark or NetworkMiner.