CyberOps Skills Assessment - M.ARIS MUNANDAR

CCNA Cybersecurity Operations v1.
0
Skills Assessment
• Introduction
Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL
dashboard. Your task is to analyze these events, learn more about them, and decide if they indicate
malicious activity.
You will have access to Google to learn more about the events. Security Onion is the only VM with
Internet access in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
• Evaluating Snort/SGUIL events.
• Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for further event inspection.
• Using Google search as a tool to obtain intelligence on a potential exploit.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used
with permission. We are grateful for the use of this material.
• Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for
reference purposes.
Device Interface Network/Address Description
eth0 192.168.0.1/24 Interface connected to the Internal Network

Security Onion VM Interface connected to the External
eth2 209.165.201.21/24 Networks/Internet
1. Gathering Basic Information

a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo service nsm status command to verify that all the
services and sensors are ready.
c. When the nsm service is ready, log into SGUIL with the username analyst and password
cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.
d. In the SGUIL window, identify the group of events that are associated with exploit(s). This group
of events are related to a single multi-part exploit.
How many events were generated by the entire exploit?
Total all 11 Realtime events (original)
6 Orange RealTime events
1 Yellow RealTime Events
4 Red RealTime events
According to SGUIL, when did the exploit begin? When did it end? Approximately how long
did it take?
Start Date/time at
2017-07-05 14:11:41
End Date/Time at
2017-07-31 19:33:07
Total all is 26 days 130
What is the IP address of the internal computer involved in the events?

192.168.0.1 192.168.0.11
What is the MAC address of the internal computer involved in the events? How did you find it?
00:1b:21:ca:fe:d7
can be found by right clicking on Alert ID and opening Wireshark
What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the
Source IDs from?
2014726, 2018442, 2019224, 2019488, 2020356, 2018954, 2021120, 2020491, 2018316,

2019645, 2019513
Select any event in the SGUIL screen. In the split window at the bottom right, check “Show
Rule”. The bottom area will display the rule that triggered the event.
a. Do the events look suspicious to you? Does it seem like the internal computer was infected or
compromised? Explain.
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
a. What is the operating system running on the internal computer in question?
In the “Alert ID” field of the SGUIL screen, press and hold the right mouse button, select
Transcript and release it. On the window that the system opens, you can display the OS
Fingerprint data of 192.168.0.12 as Windows XP/2000
1. Learn About the Exploit

a. According to Snort, what is the exploit kit (EK) in use?
Exploit kits are automated threats that utilize compromised websites to divert web traffic,
scan for vulnerable browser-based applications, and run malware. Exploit kits were
developed as a way to automatically and silently exploit vulnerabilities on victims'
machines while browsing the web.
a. What is an exploit kit?
is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of
exploits altogether. Exploit kits act as a kind of repository, and make it easy for users
without much technical knowledge to use exploits. Users can add their own exploits to it
and use them simultaneously apart from the pre-installed ones
a. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit.
Summarize your findings and record them here.
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
a. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in
SGUIL.
b. _____________________________________________________________________________
_______
c. _____________________________________________________________________________
_______
d. _____________________________________________________________________________
_______
e. _____________________________________________________________________________
_______
f. What are the major stages in exploit kits?
g. Step 1: Contact - The attacker often use spammed email and social engineering lures to
make people click the link of an exploit kit server. In another form, a user clicks on a
malicious advertisement (malvertisement) found in a legitimate website
h. Step 2: Redirect - The exploit kit generator screens for its target and then filters out
victims who don’t meet certain requirements. For example, an exploit kit operator can
target a specific country by filtering client IP address by geolocation
i. Step 3: Exploit - The victims are then directed into the exploit kit’s landing page. The
landing page determines which vulnerabilities should be used in the ensuing attack
j. Step 4: Infect - After successfully exploiting a vulnerability, the attacker can now download
and execute malware in the victim’s environment
1. Determining the Source of the Malware

a. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses
involved.
b. b. Participating IP address In addition to the internal network 192.168.0.12 and 192.16.0.1, there
are also 93.114.64.118, 173.201.198.128, 192.99.198.158, 208.113.226.171,
209.126.97.209_________________________________________________________________
__________________
c. _____________________________________________________________________________
______
d. _____________________________________________________________________________
______
e. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash Version
M1”. The event refers to which host? What does that event imply?
f. e. The IP address of the host associated with the Event is TCP 80 Port of 93.114.64.118. At the
beginning, you should use Browser to connect to http://www.earsurgery.org, and the Flash object
on the website points to 93.114.64.118 (displayed as mail.chooseyourself.ro on Transcript, but
adstairs.ro on HTML header) Download the Flash object to Trigger this
Event.________________________________________________________________________
___________
g. According to SGUIL, what is the IP address of the host that appears to have delivered the
exploit?
h. _____________________________________________________________________________
_______
i. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated
with the IP address of the host that appears to have delivered the exploit?
j. _____________________________________________________________________________
_______
k. This exploit kit typically targets vulnerabilities in which three software applications?
l. _____________________________________________________________________________
_______
m. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit?
_____________________________________________________________________________
_______
a. What is the most common file type that is related to that vulnerable software?
_____________________________________________________________________________
_______
a. Use ELSA to gather more evidence to support the hypothesis that the host you identified above
delivered the malware. Launch ELSA and list all hosts that downloaded the type of file listed
above. Remember to adjust the timeframe accordingly.
b. Were you able to find more evidence? If so, record your findings here.
c. _____________________________________________________________________________
_______
d. _____________________________________________________________________________
_______
e. _____________________________________________________________________________
_______
f. At this point you should know, with quite some level of certainty, whether the site listed in Part 3b
and Part 3c delivered the malware. Record your conclusions below.
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
1. Analyze Details of the Exploit

a. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities and
exfiltrate a list of them. Use ELSA to determine if the exploit kit in question used a landing page. If
so, what is the URL and IP address of it? What is the evidence?
b. Hint: The first two SGUIL events contain many clues.
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
a. What is the domain name that delivered the exploit kit and malware payload?
_____________________________________________________________________________
______
a. What is the IP address that delivered the exploit kit and malware payload?
_____________________________________________________________________________
______
a. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets
as was done in a previous lab. What files or programs are you able to successfully export?
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______
_____________________________________________________________________________
_______

CyberOps Skills Assessment - M.ARIS MUNANDAR

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CyberOps Skills Assessment - M.ARIS MUNANDAR

Încărcat de

Drepturi de autor:

Formate disponibile

CCNA Cybersecurity Operations v1.

Device Interface Network/Address Description

eth0 192.168.0.1/24 Interface connected to the Internal Network

1. Gathering Basic Information

What is the IP address of the internal computer involved in the events?

2014726, 2018442, 2019224, 2019488, 2020356, 2018954, 2021120, 2020491, 2018316,

1. Learn About the Exploit

1. Determining the Source of the Malware

1. Analyze Details of the Exploit

S-ar putea să vă placă și