FAKULTAS : EKONOMI - BISNIS & MANAJEMEN - TEKNIK - BAHASA - DKV

Jl. Cikutra No. 204 A Bandung 40125 Telp. (022) 7275855

UJIAN AKHIR SEMESTER GANJIL TAHUN AKADEMIK 2020/2021

KODE / MATA KULIAH / SKS : 06730201/Keamanan Jaringan Komputer 1 / 2

FAKULTAS / PROGRAM STUDI : FT/IF/S1

HARI / TANGGAL : Senin , 04 Januari 2021

WAKTU : 120 MENIT

DOSEN PEMBINA : Helmy Faisal Muttaqin, S.Kom, M.T

SIFAT UJIAN : Open All

CCNA Cybersecurity Operations v1.0

Skills Assessment
Introduction
Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL
dashboard. Your task is to analyze these events, learn more about them, and decide if they
indicate malicious activity.
You will have access to Google to learn more about the events. Security Onion is the only VM
with Internet access in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluating Snort/SGUIL events.
o Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for further event inspection.
o Using Google search as a tool to obtain intelligence on a potential exploit.

Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is

used with permission. We are grateful for the use of this material.

Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for
reference purposes.

Device Interface Network/Address Description

Security Onion VM eth0 192.168.0.1/24 Interface connected to the Internal Network
 Interface connected to the External
eth2 209.165.201.21/24 Networks/Internet

Part 1: Gathering Basic Information

a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo service nsm status command to verify that all the
services and sensors are ready.
c. When the nsm service is ready, log into SGUIL with the username analyst and password
cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.
d. In the SGUIL window, identify the group of events that are associated with exploit(s). This
group of events are related to a single multi-part exploit.
How many events were generated by the entire exploit?
Jawab:

e. According to SGUIL, when did the exploit begin? When did it end? Approximately how long
did it take?
Jawab:
f. What is the IP address of the internal computer involved in the events?
Jawab:

g. What is the MAC address of the internal computer involved in the events? How did you find
it?
Jawab:
h. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the
Source IDs from?
Jawab:
i. Do the events look suspicious to you? Does it seem like the internal computer was infected or
compromised? Explain.
Jawab:
j. What is the operating system running on the internal computer in question?
Jawab:

Part 1: Learn About the Exploit

k. According to Snort, what is the exploit kit (EK) in use?
Jawab:
l. What is an exploit kit?
Jawab:
m. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit
kit. Summarize your findings and record them here.
Jawab:
n. How does this exploit fit the definition on an exploit kit? Give examples from the events you
see in SGUIL.
Jawab:
o. What are the major stages in exploit kits?
 Jawab:

p. In the context of the events displayed by SGUIL for this exploit, record below the IP
addresses involved.
Jawab:
Ada 2 IP yang terlibat: yaitu web server 192.99.198.158 dan komputer internal 192.168.0.12
q. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash
Version M1”. The event refers to which host? What does that event imply?
Jawab:
r. According to SGUIL, what is the IP address of the host that appears to have delivered the
exploit?
Jawab:
s. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name
associated with the IP address of the host that appears to have delivered the exploit?
Jawab:
t. This exploit kit typically targets vulnerabilities in which three software applications?
Jawab:
u. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit?
Jawab:

v. What is the most common file type that is related to that vulnerable software?
Jawab:

w. Use ELSA to gather more evidence to support the hypothesis that the host you identified
above delivered the malware. Launch ELSA and list all hosts that downloaded the type of file
listed above. Remember to adjust the timeframe accordingly.
Were you able to find more evidence? If so, record your findings here.
Jawab:
x. At this point you should know, with quite some level of certainty, whether the site listed in Part
3b and Part 3c delivered the malware. Record your conclusions below.
Jawab:

Part 1: Analyze Details of the Exploit

y. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities
and exfiltrate a list of them. Use ELSA to determine if the exploit kit in question used a landing
page. If so, what is the URL and IP address of it? What is the evidence?
Hint: The first two SGUIL events contain many clues.
Jawab:
z. What is the domain name that delivered the exploit kit and malware payload?
Jawab:

aa. What is the IP address that delivered the exploit kit and malware payload?
Jawab:

bb. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured
packets as was done in a previous lab. What files or programs are you able to successfully
export?
 Jawab:

Validasi (Paraf /td tangan)

Dosen Pengampu MK :

1. Helmy Faisal Muttaqin, S.Kom, M.T

2.

Dosen Koordinator :

Ka.Prodi