User Account

All Pages

Conduct an analysis of the malware attack

Assignment Help Computer Network Security
Reference no: EM133001422

TASK(S)

The network traffic that we will be examining for this task can be found at:

On this page you will find a password protected ZIP file containing the PCAP file (the password is ‘infected'). Download this PCAP file and import it into Security Onion (read Importing PCAP Hints below first). Upon importing, you will see the following events in Sguil:

The above security alerts include a total of 14 different TCP exchanges, as follows:
a. 10.3.162.105:62612 - 149.3.144.218:80 (IDs* 3.21, 3.33)
b. 10.3.162.105:62632 - 68.178.254.108:80 (ID* 3.71)
c. 10.3.162.105:62637 - 91.200.14.95:80 (IDs* 3.75, 3.77, 3.79, 3.81, 3.82)
d. 10.3.162.105:62638 - 46.249.199.41:80 (IDs* 3.83, 3.84, 3.85, 3.86, 3.88)
e. 10.3.162.105:62640 - 37.140.192.238:80 (IDs* 3.109)
f. 10.3.162.105:62641 - 178.208.83.15:80 (IDs* 3.115, 3.127, 3.114)
g. 10.3.162.105:62643 - 109.120.189.60:80 (ID* 3.141)
h. 10.3.162.105:62717 - 205.234.186.115:80 (ID* 3.204)
i. 10.3.162.105:62769 - 23.15.4.18:80 (ID* 3.246)
j. 10.3.162.105:62869 - 61.65.90.109:80 (ID* 3.298)
k. 10.3.162.105:62872 - 61.65.90.109:80 (ID* 3.299)
l. 10.3.162.105:62947 - 5.35.235.167:80 (IDs* 3.302, 3.303)
m. 10.3.162.105:63000 - 37.76.209.224:80 (ID* 3.305)
n. 10.3.162.105:63158 - 189.140.46.92:80 (ID* 3.318)
* Depending on the version of Security Onion the ID numbers shown above may vary. You should still be able to identify the relevant TCP exchanges and IDs by matching the IP addresses (Src IP and Dst IP columns) and port numbers (SPort and DPort) and the message text (Event Message).

Note that on the page you download this PCAP file from there is also a link at the bottom of the page "to help you get the answers" - this page contains a number of hints you may wish to check (note that you won't need all the information on this page - you may not need any of it!)

In this task, you will play the role of a member of the IT support group for an organisation who has observed a malware attack (the packet capture) and it's your task is to conduct an analysis of the malware attack and prepare a report addressing the points indicated below. The requirements are as follows (you must use the headings indicated):
1. Introduction: (<1 page):
• Provide a general overview of the attack
• Explaining how the attack began and identify major steps in the malware attack.
2. The Cyberattack (<2 pages):
• Out of the 14 TCP exchanges identified above, select two activities; one of which that demonstrates an apparently successful activity and a second one that is an apparent failed activity by the malware (note that multiple malware/ programs are involved). For each of your selected exchanges:
i. List the related security events and explain what the associated log messages provided by Security Onion are telling you;
ii. Describe the content and identify malware payloads where relevant, and discuss the purpose of the exchange in the overall context of the attack;
iii. Identify whether this was a successful or unsuccessful step in the attack and explain why.
3. Recommended actions and training:
• Using an instructional wording, explain to the users of the organisation what actions they should take to eliminate this malware infection and what actions they should take in the future to avoid falling victim to such an infection.
4. Conclusions and Recommendations
• Provide a general summary / conclusion for your report by discussing the potential damage that could be inflicted by such an event. Your discussion of potential damage should focus on the malware you examined in Section 2.

OBTAINING AND IMPORTING THE PCAP INTO SECURITY ONION
There are three options for completing this assessment:
1. VMLab is already available to you.
2. A pre-built VM is already available to you.
3. Using your own copy of Security Onion.

If you are using either VMLab or the pre-built VM, a copy of the malware can be found in the location: /media/student/Disc/2015-05-29-traffic-analysis-exercise.pcap
Instructions for downloading a copy of this malware into your own Security Onion VM are provided below.

To successfully import the PCAP into Security Onion, you will need to complete the following steps :
1. If using VMLab, login, create, and enter the booking.
2. If using VirtualBox, then start VirtualBox and boot Security Onion.
3. Once Security Onion has booted, open a Terminal window and enter the following command to stop Security Onion's services and configure the correct timezone:
sudo so-stop
sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime
4. We now need to configure Security Onion to keep event logs for longer by entering the command:
sudo gedit /etc/nsm/securityonion.conf
About five lines down, check that the DAYSTOKEEP variable is set to the value 9999, i.e.,DAYSTOKEEP=9999
Save the file and exit the editor.
5. If using your own VirtualBox VM, you should download the packet capture now.
6. Restart Security Onion's services by entering the command:
sudo so-start
7. Load the packet capture into Security Onion by entering the command:
sudo so-import-pcap 2015-05-29-traffic-analysis-exercise.pcap

DOWNLOADING THE PCAP INTO YOUR OWN SECURITY ONION VM
Downloading the PCAP file into Security Onion should only be completed as part of Step 5 in the previous section. At this point, the Security Onion services are stopped and we can temporarily reconfigure the network to download the capture, as follows:

i. Edit the Security Onion's VM settings and change the first adapter from Internal to NAT.
ii. Switch the network over to access the public Internet by entering the commands:
sudo ifdown enp0s3
sudo dhclient enp0s3
iii. Open the web browser inside Security Onion and download the ZIP file from:
iv. Change the network back to the static IP address by entering the commands:
sudo dhclient -r enp0s3
sudo ifup enp0s3
v. Edit the Security Onion's VM settings and change the first adapter from NAT back to Internal.
vi. Locate and unzip the PCAP file (the password is ‘infected') - this can be done either through the file browser or by using the command:
unzip Downloads/2015-05-29-traffic-analysis-exercise.pcap.zip
vii. (Suggested) This is an ideal time to take a snapshot of the VM to ensure you can rewind to this point at any time (you can delete the snapshot after you finish the assignment!)

Load Sguil and check that you have the same list of events as shown at the start of this assignment question (sort by date/time if needed, noting that the IDs may be different as discussed above). If your event list appears to be significantly different, double check that you have downloaded and imported the correct PCAP file.

Attachment:- Network traffic.rar

Reference no: EM133001422

Questions Cloud

What are the current market values of dietrich : Steinberg Corporation and Dietrich Corporation are identical firms except that Dietrich is more levered. Both companies will remain in business for one more yea
What is meant by jus ad bellum in just war tradition : What is meant by jus ad bellum in just war tradition and theory - Write in your own words, do not copy and paste from UN material, this is plagiarism
Amortization of bond discount decreases invest-true or false : When bonds are sold, total cash received is always equal to the sum of selling price, accrued interest and transaction cost.-true or false
Do have a favorite company : Do you have a favorite company? What are some intangible assets of that firm that endear you to it? It might be a car company, clothes company
Conduct an analysis of the malware attack : Conduct an analysis of the malware attack and prepare a report addressing the points
Calculate the margin and asset turnover for each : Each distribution channel is evaluated as an investment center. Calculate the margin and asset turnover for each of the three distribution channels
Calculate the price of a 2- month call option : The price of IBA stock is $106. It will either increase $10.4 or decrease $8.4 at the end of month 1. If the price is up in the ?rst month, it will either incre
Why is so critical for businesses to manage the working : Why is it so critical for businesses to manage their working capital wisely now? Consider a struggling business, such as a neighborhood restaurant
How is the selling process usually described : How is the selling process usually described? as a series of separate but equal steps./ as a series of cumulative steps./ as a series of interrelated steps

Reviews

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd