support@w4writers.com +44 7743 307695
Oct 22, 2021

KEY INFORMATION

Due: Sunday 3rd October by 8pm

Weight: 20% of total mark for this unit

Approximate length: 3 to 4 pages long depending on length and quality

Individual Assessment

PURPOSE

Throughout this unit we learn about different protocols used in networks and how they are used by attackers. In this assessment task you will conduct an analysis of captured network traffic using the tools of Security Onion. You are asked to demonstrate your understanding of abnormal protocol behaviour by preparing a security incident report explaining a malware attack.

Task(s)

The network traffic that we will be examining for this task can be found at:

 

On this page you will find a password protected ZIP file containing the PCAP file (the password is infected ). Download this PCAP file and import it into Security Onion (read Importing PCAP Hints below first). Upon importing, you will see the following events in Sguil:

The above security alerts include a total of 14 different TCP exchanges, as follows:

  1. 10.3.162.105:62612  149.3.144.218:80 (IDs* 3.21, 3.33)
  2. 10.3.162.105:62632  68.178.254.108:80 (ID*3.71)
  3. 10.3.162.105:62637  91.200.14.95:80 (IDs*3.75, 3.77, 3.79, 3.81, 3.82)
  4. 10.3.162.105:62638  46.249.199.41:80 (IDs*3.83, 3.84, 3.85, 3.86, 3.88)
  5. 10.3.162.105:62640  37.140.192.238:80 (IDs*3.109)
  6. 10.3.162.105:62641  178.208.83.15:80 (IDs*3.115, 3.127, 3.114)
  7. 10.3.162.105:62643  109.120.189.60:80 (ID*3.141)
  8. 10.3.162.105:62717  205.234.186.115:80 (ID*3.204)
  9. 10.3.162.105:62769  23.15.4.18:80 (ID*3.246)
  10. 10.3.162.105:62869  61.65.90.109:80 (ID*3.298)
  11. 10.3.162.105:62872  61.65.90.109:80 (ID*3.299)
  12. 10.3.162.105:62947  5.35.235.167:80 (IDs*3.302, 3.303)
  13. 10.3.162.105:63000  37.76.209.224:80 (ID*3.305)
  14. 10.3.162.105:63158  189.140.46.92:80 (ID*3.318)

* Depending on the version of Security Onion the ID numbers shown above may vary. You should still be able to identify the relevant TCP exchanges and IDs by matching the IP addresses (Src IP and Dst IP columns) and port numbers (SPort and DPort) and the message text (Event Message).

Note that on the page you download this PCAP file from there is also a link at the bottom of the page to help you get the answers this page contains a number of hints you may wish to check (note that you wont need all the information on this page  you may not need any of it!)

In this task, you will play the role of a member of the IT support group for an organisation who has observed a malware attack (the packet capture) and its your task is to conduct an analysis of the malware attack and prepare a report addressing the points indicated below. The requirements are as follows (you must use the headings indicated):

  1. Introduction: (
  2. Provide a general overview of the attack
  3. Explaining how the attack began and identify major steps in the malware attack.
  4. The Cyberattack(
  5. Out of the 14 TCP exchanges identified above, select two activities; one of which that demonstrates an apparently successful activity and a second one that is an apparent failed activity by the malware (note that multiple malware/ programs are involved). For each of your selected exchanges:
    1. List the related security events and explain what the associated log messages provided by Security Onion are telling you;
    2. Describe the content and identify malware payloads where relevant, and discuss the purpose of the exchange in the overall context of the attack;
    3. Identify whether this was a successful or unsuccessful step in the attack and explain why.
  6. Recommended actions and training:
  7. Using an instructional wording, explain to the users of the organisation what actions they should take to eliminate this malware infection and what actions they should take in the future to avoid falling victim to such an infection.
  8. Conclusions and Recommendations
  9. Provide a general summary / conclusion for your report by discussing the potential damage that could be inflicted by such an event. Your discussion of potential damage should focus on the malware you examined in Section 2.

obtaining and IMPORTING THE PCAP INTO SECURITY ONION

There are three options for completing this assessment:

  1. VMLab is already available to you.
  2. A pre-built VM is already available to you.
  3. Using your own copy of Security Onion.

If you are using either VMLab or the pre-built VM, a copy of the malware can be found in the location: /media/student/Disc/2015-05-29-traffic-analysis-exercise.pcap

Instructions for downloading a copy of this malware into your own Security Onion VM are provided below.

To successfully import the PCAP into Security Onion, you will need to complete the following steps1:

  1. If using VMLab, login, create, and enter the booking.
  2. If using VirtualBox, then start VirtualBox and boot Security Onion.
  3. Once Security Onion has booted, open a Terminal window and enter the following command to stop Security Onions services and configure the correct timezone:

sudo so-stop

 

  1. We now need to configure Security Onion to keep event logs for longer by entering the command:

sudo gedit /etc/nsm/securityonion.conf

About five lines down, check that the DAYSTOKEEP variable is set to the value 9999, i.e.,

DAYSTOKEEP=9999

Save the file and exit the editor.

  1. If using your own VirtualBox VM, you should download the packet capture now.
  2. Restart Security Onions services by entering the command:

sudo so-start

  1. Load the packet capture into Security Onion by entering the command:

 

DOWNLOADING THE PCAP INTO YOUR OWN SECURITY ONION VM

Downloading the PCAP file into Security Onion should only be completed as part of Step 5 in the previous section. At this point, the Security Onion services are stopped and we can temporarily reconfigure the network to download the capture, as follows:

  1. Edit the Security Onions VM settings and change the first adapter from Internal to NAT.
  2. Switch the network over to access the public Internet by entering the commands:

sudo ifdown enp0s3

sudo dhclient enp0s3

  1. Open the web browser inside Security Onion and download the ZIP file from:

 

  1. Change the network back to the static IP address by entering the commands:

sudo dhclient -r enp0s3

sudo ifup enp0s3

  1. Edit the Security Onions VM settings and change the first adapter from NAT back to Internal.
  2. Locate and unzip the PCAP file (the password is infected)  this can be done either through the file browser or by using the command:

 

  1. (Suggested) This is an ideal time to take a snapshot of the VM to ensure you can rewind to this point at any time (you can delete the snapshot after you finish the assignment!)

Load Sguil and check that you have the same list of events as shown at the start of this assignment question (sort by date/time if needed, noting that the IDs may be different as discussed above). If your event list appears to be significantly different, double check that you have downloaded and imported the correct PCAP file (analysing the wrong file will lead to zero marks).

Submission Details

Your report should be submitted via CloudDeakin to the TurnItIn-enabled Assignment Folder for the Security Incident Report. Your report must have appropriate headings as indicated in the requirements above. Acceptable file formats are Word documents, PowerPoint documents, PDF documents, text and rich text files, and HTML. Compressed files, such as ZIP files or RAR files are not accepted and will not be marked.

After submitting your assignment you should receive an email to your Deakin email address confirming that it has been submitted. You should check that you can see your assignment in the Submissions view of the Assignment folder after upload, and check for, and keep, the email receipt for the submission.



Academic Misconduct

Academic misconduct and plagiarism is subjected to penalties.

Plagiarism includes and not limited to:

  • Copying others work without appropriate referencing
  • Re-using assignment material completed by other students
  • Contracting others to do assessment tasks on your behalf.
 



Learning Outcomes

This assignment assesses the following Graduate Learning Outcomes (GLO) and related Unit Learning Outcomes (ULO):

Graduate Learning Outcome (GLO) Unit Learning Outcome (ULO)
GLO1: Discipline-specific knowledge and capabilities: appropriate to the level of study related to a discipline or profession. ULO3: You will be required to conduct an analysis of captured network traffic and prepare a formal incident report explaining what happened in detail.
GLO4: Critical Thinking: evaluating information using critical and analytical thinking and judgement.  

Extensions

No extensions will be considered for this assessment unless a request is submitted through the CloudDeakin and approved by the Unit Chair (enter SIT716 unit page and click Assessment -> Extension request). Assignment Extensions are normally only approved when students apply before the due date. The Unit Chair may ask you to supply supporting documentation about the difficulties you are facing, and evidence of the work you have completed so far.

A marking penalty will be applied where the assessment task is submitted after the due date without an approved extension as follows:

  1. 5% will be deducted from available marks for each day up to five days
  1. where work is submitted more than five days after the due date, the task will not be marked and the student will receive 0% for the task.

Day means working day for paper submissions and calendar day for electronic submissions.

(This assessment task uses electronic submission)

SIT716 Computer Networks and Security

Assessment Task 2: Protocol Demonstration and Report

Criteria Advanced answer
(100%)
Clear answer
(75%)
Adequate answer
(50%)
Flawed answer
(25%)
No merit
(0%)
Introduction
Criteria 1a: 10% Introduction: Attack overview and the steps. All the attacks have been clearly explained with the details. There are no major misunderstandings in the answer. The steps attack in the attack have been reasonably outlined with appropriate evidence provided. There are no major misunderstandings in the answer. A basic overview of the attack has been provided with minimally adequate evidence. The overview of the attack is incomplete or inadequately evidenced. Question not attempted, has not been evidenced, or is not relevant to the actual attack in the provided capture.
Criteria Advanced answer
(100%)
Clear answer
(75%)
Adequate answer
(50%)
Flawed answer
(25%)
No merit
(0%)
The Malware Traffic
Criteria 2a+3a:10%The Cyberattack:List and explain security event logs. All events listed with good explanations of the Security Onion log messages. There are no major misunderstandings in the answer. All events listed but there are clear gaps in the explanations of the Security Onion log messages. There are no major misunderstandings in the answer. All events listed with poor explanations of the Security Onion log messages, or a subset of events listed with good explanations. A subset of events listed with poor descriptions. You have not answered the question or there are only minor correct elements in your answer.
Criteria 2b+3b:10%The Cyberattack:Describe the content and discuss its purpose. Content and malware payloads identified correctly and purpose has been well summarised. There are no major misunderstandings in the answer. Content and malware identified correctly but there are clear gaps in the summary. There are no major misunderstandings in the answer. Content and malware identified correctly but the summary is unclear / lacks insight. Generally poor answer with minimal insight into what is happening. You have not answered the question or there are only minor correct elements in your answer.
Criteria 2c+3c:10%The Cyberattack:Cyberattack achievements or cause of failure. Cyberattack achievements or cause of failure explained well. There are no major misunderstandings in the answer. Clear gaps in the explanation of cyberattack achievements or cause of failure. There are no major misunderstandings in the answer. Cyberattack achievements or cause of failure somewhat explained but generally unclear. Minimal insight into the achievements of the cyberattack or cause of failure. You have not answered the question or there are only minor correct elements in your answer.
Criteria Advanced answer
(100%)
Clear answer
(75%)
Adequate answer
(50%)
Flawed answer
(25%)
No merit
(0%)
Recommended actions and training
Criteria 4:15%Conclusions and Recommendations:General summary and potential damage You have provided a reasonable summary including potential damage. There are no major misunderstandings in the answer. You have provided a reasonable summary however parts of your answer are unclear. There are no major misunderstandings in the answer. You have provided a reasonable summary however there are minor gaps or inaccuracies in your discussion of potential damage. You have provided a reasonable summary however there are significant gaps or inaccuracies in your discussion of potential damage. You have not addressed the requirements of this component or there are only minor correct elements in your answer.
Conclusions and Recommendation
Criteria 5:15%Conclusions and Recommendations:Propose actions to reduce future attacks. You have described reasonable actions to be undertaken and explained how they would reduce the likelihood of such attacks. There are no major misunderstandings in the answer. You have described reasonable actions however it is unclear how these actions would result in a lower likelihood of such attacks. There are no major misunderstandings in the answer. You have described actions which would result in a lower likelihood of attacks there are minor gaps or inaccuracies in your description/explanation. You have described some actions and mostly explained how they would result in a lower likelihood of attacks, however you have missed obvious actions which would have more a more significant impact. You have not addressed the requirements of this component or there are only minor correct elements in your answer.

Note that failing to follow Steps 3-6 is the most common mistake by students. If you dont complete these steps then you will often see error messages and/or an apparent lack of response from Sguil when trying to view transcripts or loading events into Wireshark or NetworkMiner.

Recent Post

Order this Assignment now

Total: GBP120

fables template