CyberOps Skills Assessment
CCNA Cybersecurity Operations Open University - Skills Assessment Gathering Basic Information 1. Log into Security Onion
Views 355 Downloads 4 File size 202KB
Recommend stories
- Author / Uploaded
- Carlos Pinto
- Categories
- Explotar (Seguridad Informática)
- Malware
- Habilidades de seguridad informática
- Seguridad y privacidad en línea
- La seguridad informática
Citation preview
CCNA Cybersecurity Operations Open University - Skills Assessment Gathering Basic Information 1. Log into Security Onion VM (saved in the same location as this document) with username analyst and password cyberops.
2. Open a terminal window. Enter the sudo service nsm status command to verify that all the services and sensors are ready.
3. When the nsm service is ready, log into SGUIL with the username analyst and password cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.
4. In the SGUIL window, identify the group of events that are associated with exploit(s). This group of events are related to a single multi-part exploit. How many events were generated by the entire exploit?
5. According to SGUIL, when did the exploit begin? When did it end? Approximately how long did it take? Start at 2017-09-07 15:31:12 End at 2017-09-07 15:31:34 Approximately 22 seconds 6. What is the IP address of the internal computer involved in the events? 192.168.0.12 7. What is the MAC address of the internal computer involved in the events? How did you find it?
00:1b:21:ca:fe:d7, can be found by right clicking on Alert ID and opening Wireshark 8. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the Source IDs from?
2014726, 2018442, 2019224, 2019488, 2020356, 2018954, 2021120, 2020491, 2018316, 2019645 - Select an event, and in the bottom right window select Show Rule 9. Do the events look suspicious to you? Does it seem like the internal computer was infected or compromised? Briefly explain.
Yes, it seems to be with some trojan activity. 10. What is the operating system running on the internal computer in question? Windows XP/2000, can be found by right clicking on Alert ID and select Transcript or Bro
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University
Page 1 of 4
Skills Assessment
CCNA Cybersecurity Operations
Learn About the Exploit 11. According to Snort, what is the exploit kit (EK) in use? Angler EK Flash Exploit URI Struct 12. What is an exploit kit? EK is a server-based framework that uses exploits to take advantage of vulnerabilities in browser-related software applications to infect a client. 13. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit. Summarize your findings and record them here.
The Angler EK is used to distribute different types of malware like CryptoXXX ransomware, EITest trojans like Zeus, Andromeda or Tinba. Bedep is a technique that avoid detection of the infection by executing the Angler EK payload from memory instead of storing it to disk. Bedep also downloads click-fraud malware that generates web traffic invisible to the end user. 14. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in SGUIL. It used an outdated flash version to redirect the client to a compromised server 15. What are the major stages in exploit kits? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University
Page 2 of 4
Skills Assessment
CCNA Cybersecurity Operations
Determining the Source of the Malware 16. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses involved. ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________
17. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash Version M1”. The event refers to which host? What does that event imply? ___________________________________________________________________________________
18. According to SGUIL, what is the IP address of the host that appears to have delivered the exploit? ____________________________________________________________________________________
19. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the IP address of the host that appears to have delivered the exploit? ____________________________________________________________________________________
20. This exploit kit typically targets vulnerabilities in which three software applications? ____________________________________________________________________________________
21. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit? ____________________________________________________________________________________
22. What is the most common file type that is related to that vulnerable software? ____________________________________________________________________________________
23. Use ELSA to gather more evidence to support the hypothesis that the host you identified above delivered the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to adjust the time frame accordingly. Were you able to find more evidence? If so, record your findings here. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________
24. At this point you should know, with quite some level of certainty, whether the site listed discovered earlier delivered the malware. Record your conclusions below. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University
Page 3 of 4
Skills Assessment
CCNA Cybersecurity Operations
Analyze Details of the Exploit 25. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities and exfiltrate a list of them. Use ELSA to determine if the exploit kit in question used a landing page. If so, what is the URL and IP address of it? What is the evidence?
Hint: The first two SGUIL events contain many clues. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________
26. What is the domain name that delivered the exploit kit and malware payload? ___________________________________________________________________________________
27. What is the IP address that delivered the exploit kit and malware payload? ___________________________________________________________________________________
28. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets as was done in a previous lab. What files or programs are you able to successfully export? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public - with modifications from Open University
Page 4 of 4